Titanium Community Questions & Answer Archive

We felt that 6+ years of knowledge should not die so this is the Titanium Community Questions & Answer Archive

Best practice for storing user authentication credentials?

We'd like to have our users enter their University login/password once, and store it in the app so that we can send login information to multiple data sources.

What's the most secure way to do that? Ideally we'd like to get access to the iPhone's keychain and store it that way, but I don't see any hint of that in the Titanium docs.

What's our next best alternative?

— asked March 22nd 2010 by Nick Wing
  • iphone
  • login
  • mobile
  • password
  • security

6 Answers

  • In addition to the keychain module in the marketplace, Aaron Saunders has also released a free module:


    — answered February 13th 2012 by Kevin Whinnery
  • Just saw this thread for the first time. I have not needed it, but did bookmark a link to an iOS keychain module. While not quite free, it seems beyond reasonable at under $6 USD. Small price to pay for the enhanced security of the keychain.

    — answered August 2nd 2011 by Doug Handy
    1 Comment
    • LOL… Doug, are you stalking me :) You've single handedly solved 3 of my issues in just a mere couple of hours. I once again thank you sir!

      — commented August 2nd 2011 by Dave F
  • Or you could store in Database too.

    We're going to be introducing Keychain support for iphone soon so you can securely store credentials there..

    — answered March 22nd 2010 by Jeff Haynie
    • So, 8 months have passed, I just want to know how's it going with Keychain support?

      — commented November 3rd 2010 by mo imiaou
    • Now 12 months, any updates on this Jeff?

      — commented July 25th 2011 by Sharry Stowell
    • Hey Jeff. Is keychain support finally supported. cant find documenation on it. Whats the correct way to currently store passwords. using Ti.App.Properties stores it in the clear. Is using a DB better? Thx

      — commented August 2nd 2011 by Dave F
    • David, me again. :) SQLite databases are also in the clear unless you apply your own encryption and store the encrypted value. If you want to go that route, consider something like this or this.

      Also consider the keychain module I mention in another answer.

      — commented August 2nd 2011 by Doug Handy
    • The keychain module is exactly what I need. THANK YOU!!! is there a repository listing all these different 3rd party modules? There should be!

      — commented August 2nd 2011 by Dave F
    • Not that I know of, but I keep a folder in my bookmarks for interesting modules which I run across mentioned in the Q&A. That way if / when I need one, I don't have to try and navigate the Q&A search in an attempt to find it again. Most modules are hosted on github, so that is a good place to look. But see also this blog entry. If it catches on, it may become a good resource for locating modules.

      — commented August 2nd 2011 by Doug Handy
    • Two years ago. Will the Keychain really be supported?

      — commented February 8th 2012 by Felipe Cypriano
  • Gidday,

    I've stored an MD5 hash of the password in a local database in one of my apps. As MD5 is a one way algorithm - the password is never sent across the wire to the server. On the server I store the MD5 hash in a database not the password.

    It ain't perfect as there are MD5 crackers out there, but it kindof works. There are also encrypt functions in the pipeline based upon AES which may provide an even better solution.

    I've also been playing with a hash of indexes. A simple idea which would allow you to select from a number of picture items in a grid and that would produce a hash to be sent to the server. The items in the hash would change position randomly and be mixed up with a group of random pictures. Kindof like a PIN in ATM machines, but using images instead and not having a fixed position on the screen.


    — answered March 22nd 2010 by Gregor Munro
  • @greg sending an md5 of the password to your server means that you have injected additional weakness. In fact its exactly the same as storing the raw text password.

    — answered March 30th 2010 by Dan Mullineux
  • Im guessing that using Properties is what you're looking for but I am not 100%:

    Properties documentation


    Ti.Api.Properties.setString('username', 'foobar');


    — answered March 22nd 2010 by Dana Woodman
    1 Comment
    • I believe that should be: Ti.App.Properties.setString('username', 'foobar');

      — commented January 8th 2011 by Greg Hoole
The ownership of individual contributions to this community generated content is retained by the authors of their contributions.
All trademarks remain the property of the respective owner.