...
This code is incorrect because it decrypts the password stored in credentials.txt. An attacker could potentially decrypt this file to find out what the password is. This attacker could be someone knows or has figured out the encryption scheme being used by the program.
...
Noncompliant Code Example
| Code Block |
|---|
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
public final class HashExamples {
private String salt = "ia0942980234241sadfaewvo32"; //Randomly generated
private void setPassword(String pass) throws Exception {
MessageDigest sha_1 = MessageDigest.getInstance("SHA-1");
byte[] hashVal = sha_1.digest((pass+salt).getBytes()); //encode the string and salt
saveBytes(hashVal,"credentials.pw"); //save the hash value to credentials.pw
}
private boolean checkPassword(String pass) throws Exception {
MessageDigest sha_1 = MessageDigest.getInstance("SHA-1");
byte[] hashVal1 = sha_1.digest((pass+salt).getBytes()); //encode the string and salt
byte[] hashVal2 = loadBytes("credentials.pw"); //load the hash value stored in credentials.pw
return Arrays.equals(hashVal1, hashVal2);
}
}
|
...
This code example fixes the above decryption problem, however it may inadvertently store the passwords as cleartext. This is because the pass arguments may not be cleared from memory by the Java garbage collector until much later. See "MSC10-J. Limit the lifetime of sensitive data", for more information.