Page History

Hardcoding sensitive information, such as passwords, server IP addresses and encryption keys, is an extremely dangerous practice. This is because adversaries who have access to the class files can decompile them to discover the sensitive information. Additionally, once the system goes into production mode, it can become unwieldy to manage and accommodate changes to the code. For instance, a change in password may need to be communicated using a patch \[[Chess 2007|AA. JavaBibliography#Chess References#Chess 07]\]. 

\[[Gong 2003|AA. JavaBibliography#Gong References#Gong 03]\] 9.4 Private Object State and Object Immutability
\[[Chess 2007|AA. Java References#ChessBibliography#Chess 07]\] 11.2 Outbound Passwords: Keep Passwords out of Source Code
\[[Fortify 2008|AA. Java References#FortifyBibliography#Fortify 08]\] "Unsafe Mobile Code: Database Access"
\[[MITRE 2009|AA. Java References#MITREBibliography#MITRE 09]\] [CWE-259|http://cwe.mitre.org/data/definitions/259.html] "Hard-Coded Password," [CWE-798|http://cwe.mitre.org/data/definitions/798.html], "Use of Hard-coded Credentials"