Hardcoded Authentication Details – When and Where?

August 5, 2015 By 0 Comments

We’ve probably all written something like this when we’ve been learning a language, but outside of learning, is there any legitimate use for this kind of code?

Generally, no. This is a horrible way to authenticate users. Not only is it difficult to change the details, the login details follow the code into any version control system, published outputs, etc, and is plain-text.

The one use I can think of for code like this is a quick mockup as a demo only. Code like this should never, ever see a live system. Especially one with a public front to it.

Instead, login details should be stored within some form of data store. File, database, or similar. Not in the code. Ideally any passwords should be salted and hashed too.

To hash a salted password, you could do something similar to this.

Salting is the act of adding an additional string to the password, usually formed of random characters. This can be appended, prepended, inserted, or whatever, as long as you add it the same way each time,  and keep the same salt for each user. Though different users may have different salts. (Doing so is more secure too! This way the same password for two different users will result in a different hash!)