Results 1 to 11 of 11
  1. DrewPre's Avatar
    Posts
    818 Posts
    Global Posts
    829 Global Posts
       #1  
    Developing an app....one of the user-inputs will be a password.

    I could just write it to a record, but is there a more secure way to store it in the database?

    did a really quick search here and on google and didn't find much help.

    Palm Pre Backup Utility...done!
    Locate Pre....done!
  2. #2  
    Is the password going to be sent to a server somewhere, or is it just to access your app locally? If the later, you should just hash it instead. Then when the person enters their password you hash it the exact same way and compare the two hashes against each other.

    The simplest way is to MD5 it. It has been proven that MD5 can be broken, but the likelihood of it actually happening is extremely low. Plus, that is a lot of trouble to go through to access one password on one mobile device (verses an entire database of MD5ed passwords at a website).

    If security is of the utmost importance though you can use SHA256 or AES. Much stronger, but just a bit more overhead.

    MD5: Javascript MD5 - Javascript tutorial with example source code

    SHA256: JavaScript Implementation of SHA-256 Cryptographic Hash Algorithm

    AES: JavaScript Implementation of AES Advanced Encryption Standard in Counter Mode
    MoBill - Use your Authorize.net account to bill your customers with your webOS device!!
    MoJack - Track your lost or stolen webOS device from anywhere!
    Time to get VIRAL
  3. DrewPre's Avatar
    Posts
    818 Posts
    Global Posts
    829 Global Posts
       #3  
    Grrrr-ATE, Info!!

    Thanks!!!

    Unfortunately it's going to be the former, not the latter.

    Will be using the password to validate a client-server update.

    Palm Pre Backup Utility...done!
    Locate Pre....done!
  4. #4  
    Get the client-server password from the client during install, then ask them for a different password, and encrypt the former with the latter? The openssl libs are available so theoretically that would be possible with a range of ciphers but I don't do javascript so I don't know how/if one could access those libs from the gui.

    Cheers, Steve
  5. #5  
    I forgot to mention AES is true encryption, NOT a hash....so it's two way! That will solve your problem either way!

    That said, if the server is yours I would hash it on the server and then send a hashed version from the device and compare the two. If it isn't your server and you have no control over how it's stored then use AES to encrypt/decrypt and SSL to send.
    Last edited by Laxidasical; 04/02/2010 at 12:12 PM.
    MoBill - Use your Authorize.net account to bill your customers with your webOS device!!
    MoJack - Track your lost or stolen webOS device from anywhere!
    Time to get VIRAL
  6. #6  
    WebOS has encryption available via Mojo so you should take a look at that.
    cohoman

    Palm Apps:

    jVault and jChecklist
  7. #7  
    Keep in mind that by using encryption, you will also have to do some extra administrative work of requesting a CCAT number to the Department of Commerce. Otherwise Palm won't accept the app in the catalog.
  8. #8  
    Quote Originally Posted by dannns View Post
    Keep in mind that by using encryption, you will also have to do some extra administrative work of requesting a CCAT number to the Department of Commerce. Otherwise Palm won't accept the app in the catalog.
    That is true, but if you use the WebOS Mojo encryption Palm provides you with their CCAT number.
    cohoman

    Palm Apps:

    jVault and jChecklist
  9. #9  
    Quote Originally Posted by dannns View Post
    Keep in mind that by using encryption, you will also have to do some extra administrative work of requesting a CCAT number to the Department of Commerce. Otherwise Palm won't accept the app in the catalog.
    Does that apply to international apps only, or all apps???
    MoBill - Use your Authorize.net account to bill your customers with your webOS device!!
    MoJack - Track your lost or stolen webOS device from anywhere!
    Time to get VIRAL
  10. #10  
    Quote Originally Posted by Laxidasical View Post
    Does that apply to international apps only, or all apps???
    They required me to get one even before international apps were available. Delaying the original Safe Box release by a couple of months. I'm not sure how it works for developers outside the US.
  11. Minsc's Avatar
    Posts
    967 Posts
    Global Posts
    974 Global Posts
    #11  
    While you could certainly encrypt it, I think current best practices would suggest that you should hash it.

Posting Permissions