Re: storing passwords
Re: storing passwords
- Subject: Re: storing passwords
- From: Dan Sugalski <email@hidden>
- Date: Tue, 24 Dec 2002 13:18:52 -0500
At 5:44 AM -1000 12/24/02, David Rio Vierra wrote:
There is the unix crypt() function for creating DES password hashes.
See 'man 3 crypt' for details. If anyone knows about any better
functions for this purpose, please chime in. You can store the
encrypted password in a file(XML or otherwise), and set its
permissions to octal 400 or equivalent so that only the file's owner
can read it.
When your program creates this file, it is usually owned by the user
who launched the process. Of course, this won't stop an uninformed
user from simply giving the file away.
Crypt is inappropriate for this purpose, as it's not an encryption
mechanism--rather it's a hashing mechanism. There's no way to get the
original password back out again, which would seem to be a
requirement for this application.
On Tuesday, December 24, 2002, at 04:47 AM, David A. Feldman wrote:
I suppose this is as much a generic development question as a Cocoa
one, but perhaps someone can help me. I have an app that logs onto
remote AppleShare servers. I've been having a lot of difficulty
getting it to work with the Keychain -- and have posted here before
about that -- but I'm realizing that for unattended operation
(which is desirable for this app) the Keychain may not be the best
option anyway, since whenever there's a change to the OS it
re-requests permission to unlock the Keychain.
I don't have a lot of experience writing security code. So, what
I'm wondering is this. Is there a way to securely store and
retrieve users' passwords and save them in the app's data file?
Some way to encrypt in such a way that my app can decrypt but no
one else can? Furthermore, the data file is human-readable (and XML
property list). If encrypted passwords are stored in it, is there
any way to tighten security further so that someone who gains
access to the data file can't just go ahead and use the encrypted
password with a copy of my app to gain access to the remote
server(s)? And if not, will users see that as a potential security
hole? Thanks.
--
Dan
--------------------------------------"it's like this"-------------------
Dan Sugalski even samurai
email@hidden have teddy bears and even
teddy bears get drunk
_______________________________________________
cocoa-dev mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/cocoa-dev
Do not post admin requests to the list. They will be ignored.