Hardcoding sensitive information, such as passwords, is an extremely dangerous practice. Doing so can have the following ominous effects -:
- The sensitive information can become accessible to whoever has access to the source code, for example, the developers.
Wiki Markup Once the system goes into production, it can become unwieldy to manage and accommodate changes to the code. For instance, a change in password willmay haveneed to be communicated using a patch \[[Chess 07|AA. Java References#Chess 07]\].
- In certain cases, it can also violate the fundamental principle of recalling the memory used to store the sensitive information as soon as the required operation has concluded. A carefully administered heap dump or application monitoring through a JVM debugger can expose the sensitive information if it persists over an extended period of time.
- Malicious users may use decompilation techniques to resurrect the hardcoded sensitive information. This is a critical security vulnerability.
...
Notably, when the password is no longer required, it has to be is left to at the mercy of the garbage collector. This is because String objects are immutable and continue to persist even after dereferencing themthey are dereferenced, until the garbage collector performs its job.
...