Re: CoreData: Save password securly
Re: CoreData: Save password securly
- Subject: Re: CoreData: Save password securly
- From: Adam Gerson <email@hidden>
- Date: Wed, 13 Feb 2008 19:14:08 -0500
The problem with a hash is I don't just need to compare the values, I
need to send the value onto another server that expects it as clear
text. Is there a way in cocoa to store it with a salt known only to me,
but then use that same salt in my code to reverse it back to clear text?
I guess its sounding more and more like Keychain is the right way to go.
I was just trying to get all into the CoraData, bindings, less code mindset.
Adam
Jens Alfke wrote:
On 8 Feb '08, at 11:23 PM, Adam Gerson wrote:
Is there a way to save a password value into a core data store so
that its secure from anyone who might go snooping around in the store
file?
Yes — this is commonly done by server software to avoid storing users'
cleartext passwords. What you do is run the password through a
cryptographic hash function like SHA-1, and store the hash value in
the file. Then when the user enters a password, you hash that and
compare the result with the hash from the file.
(For best results, append some unique-to-your-app string to the
password before hashing it. That way if two different apps use this
technique, the same password won't hash to the same value in both. To
be precise, instead of calling SHA1(thePassword), call
SHA1(thePassword+"mygroovyuniquestring") or something. That string is
called "salt" by crypographers.)
You can access SHA-1 via the convenient API in
<CommonCrypto/CommonDigest.h>.
—Jens
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden