Best practice for storing user authentication credentials?
We'd like to have our users enter their University login/password once, and store it in the app so that we can send login information to multiple data sources.
What's the most secure way to do that? Ideally we'd like to get access to the iPhone's keychain and store it that way, but I don't see any hint of that in the Titanium docs.
What's our next best alternative?
6 Answers
-
In addition to the keychain module in the marketplace, Aaron Saunders has also released a free module:
https://github.com/aaronksaunders/clearlyinnovative.keychain
-
Just saw this thread for the first time. I have not needed it, but did bookmark a link to an iOS keychain module. While not quite free, it seems beyond reasonable at under $6 USD. Small price to pay for the enhanced security of the keychain.
-
Or you could store in Database too.
We're going to be introducing Keychain support for iphone soon so you can securely store credentials there..
-
Gidday,
I've stored an MD5 hash of the password in a local database in one of my apps. As MD5 is a one way algorithm - the password is never sent across the wire to the server. On the server I store the MD5 hash in a database not the password.
It ain't perfect as there are MD5 crackers out there, but it kindof works. There are also encrypt functions in the pipeline based upon AES which may provide an even better solution.
I've also been playing with a hash of indexes. A simple idea which would allow you to select from a number of picture items in a grid and that would produce a hash to be sent to the server. The items in the hash would change position randomly and be mixed up with a group of random pictures. Kindof like a PIN in ATM machines, but using images instead and not having a fixed position on the screen.
Greg
-
@greg sending an md5 of the password to your server means that you have injected additional weakness. In fact its exactly the same as storing the raw text password.
-
Im guessing that using Properties is what you're looking for but I am not 100%:
Like:
Ti.Api.Properties.setString('username', 'foobar');
Cheers