Re: storing passwords
Re: storing passwords
- Subject: Re: storing passwords
- From: Michael Latta <email@hidden>
- Date: Tue, 24 Dec 2002 09:28:31 -0800
Passwords should be stored in the KeyChain. This allows the user to
manage them, clear them, and to reuse them without exposing them to
others. A quick search on "KeyChain" in PB produced a large list of
information on the subject.
- Michael
On Tuesday, December 24, 2002, at 07:44 AM, David Rio Vierra wrote:
There is the unix crypt() function for creating DES password hashes.
See 'man 3 crypt' for details. If anyone knows about any better
functions for this purpose, please chime in. You can store the
encrypted password in a file(XML or otherwise), and set its
permissions to octal 400 or equivalent so that only the file's owner
can read it. When your program creates this file, it is usually owned
by the user who launched the process. Of course, this won't stop an
uninformed user from simply giving the file away.
- Rio
On Tuesday, December 24, 2002, at 04:47 AM, David A. Feldman wrote:
I suppose this is as much a generic development question as a Cocoa
one, but perhaps someone can help me. I have an app that logs onto
remote AppleShare servers. I've been having a lot of difficulty
getting it to work with the Keychain -- and have posted here before
about that -- but I'm realizing that for unattended operation (which
is desirable for this app) the Keychain may not be the best option
anyway, since whenever there's a change to the OS it re-requests
permission to unlock the Keychain.
I don't have a lot of experience writing security code. So, what I'm
wondering is this. Is there a way to securely store and retrieve
users' passwords and save them in the app's data file? Some way to
encrypt in such a way that my app can decrypt but no one else can?
Furthermore, the data file is human-readable (and XML property list).
If encrypted passwords are stored in it, is there any way to tighten
security further so that someone who gains access to the data file
can't just go ahead and use the encrypted password with a copy of my
app to gain access to the remote server(s)? And if not, will users
see that as a potential security hole? Thanks.
--Dave
----------------------------------------------------------------------
----
David A. Feldman
User Interface Designer
email@hidden
http://InterfaceThis.com
_______________________________________________
cocoa-dev mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/cocoa-dev
Do not post admin requests to the list. They will be ignored.
_______________________________________________
cocoa-dev mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/cocoa-dev
Do not post admin requests to the list. They will be ignored.
_______________________________________________
cocoa-dev mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/cocoa-dev
Do not post admin requests to the list. They will be ignored.