Re: Password authentication
Re: Password authentication
- Subject: Re: Password authentication
- From: Jens Alfke <email@hidden>
- Date: Thu, 13 Feb 2014 14:58:54 -0800
On Feb 13, 2014, at 2:28 PM, Daniel Wambold <email@hidden> wrote:
> I have hacked together a brief sample app illustrating how I prefer to do password authentication. It does not use the keychain, which can be useful as well. If it's of any interest or use, feel free. It's called "MyAuthenticator," which is the first thing listed on the page below. If I understood your goal, you wanted the user to authenticate themselves to the program (via a password) so you could reveal other, sensitive data? If so, this does just that.
It doesn't provide much security, though. Although reading the password file is harmless (because it's been hashed), the file can be _replaced_ with one created by the attacker that matches a password they know. Then they can log in. Also, unless the underlying sensitive data is encrypted, an attacker could grope into the app's data directory and read it.
To use this kind of password-based symmetric-key encryption securely, the _data_ to be protected has to be encrypted. So once the user's entered the password and you've derived an AES key from it, you use that key to decrypt the data file. If the decryption results in invalid data, the password was wrong.
—Jens
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden