Page History

Hardcoding sensitive information, such as passwords, server IP addresses and encryption keys, is an extremely dangerous practice. This is because adversaries who have access to the class files can decompile them to discover the sensitive information. Additionally, once the system goes into production mode, it can become unwieldy to manage and accommodate changes to the code. For instance, a change in password may need to be communicated using a patch \[[Chess 072007|AA. Java References#Chess 07]\]. 

\[[Gong 032003|AA. Java References#Gong 03]\] 9.4 Private Object State and Object Immutability
\[[Chess 072007|AA. Java References#Chess 07]\] 11.2 Outbound Passwords: Keep Passwords out of Source Code
\[[Fortify 082008|AA. Java References#Fortify 08]\] "Unsafe Mobile Code: Database Access"
\[[MITRE 092009|AA. Java References#MITRE 09]\] [CWE-259|http://cwe.mitre.org/data/definitions/259.html] "Hard-Coded Password," [CWE-798|http://cwe.mitre.org/data/definitions/798.html], "Use of Hard-coded Credentials"