Best practice for storing user authentication credentials?

You must Login before you can answer or comment on any questions.

We'd like to have our users enter their University login/password once, and store it in the app so that we can send login information to multiple data sources.

What's the most secure way to do that? Ideally we'd like to get access to the iPhone's keychain and store it that way, but I don't see any hint of that in the Titanium docs.

What's our next best alternative?

— asked 2 years ago by Nick Wing
0 Comments

6 Answers

In addition to the keychain module in the marketplace, Aaron Saunders has also released a free module:

https://github.com/aaronksaunders/clearlyinnovative.keychain

Just saw this thread for the first time. I have not needed it, but did bookmark a link to an iOS keychain module. While not quite free, it seems beyond reasonable at under $6 USD. Small price to pay for the enhanced security of the keychain.

— answered 10 months ago by Doug Handy
answer permalink
1 Comment

  • LOL... Doug, are you stalking me :) You've single handedly solved 3 of my issues in just a mere couple of hours. I once again thank you sir!

    — commented 10 months ago by David Fischetti

Im guessing that using Properties is what you're looking for but I am not 100%:

Properties documentation

Like: 

Ti.Api.Properties.setString('username', 'foobar');
Cheers

Or you could store in Database too.

We're going to be introducing Keychain support for iphone soon so you can securely store credentials there..

— answered 2 years ago by Jeff Haynie
answer permalink
7 Comments

  • So, 8 months have passed, I just want to know how's it going with Keychain support?

    — commented 2 years ago by mo imiaou

  • Now 12 months, any updates on this Jeff?

    — commented 10 months ago by Sharry Stowell

  • Hey Jeff. Is keychain support finally supported. cant find documenation on it. Whats the correct way to currently store passwords. using Ti.App.Properties stores it in the clear. Is using a DB better? Thx

    — commented 10 months ago by David Fischetti

  • Show 4 more comments

Gidday,

I've stored an MD5 hash of the password in a local database in one of my apps. As MD5 is a one way algorithm - the password is never sent across the wire to the server. On the server I store the MD5 hash in a database not the password.

It ain't perfect as there are MD5 crackers out there, but it kindof works. There are also encrypt functions in the pipeline based upon AES which may provide an even better solution.

I've also been playing with a hash of indexes. A simple idea which would allow you to select from a number of picture items in a grid and that would produce a hash to be sent to the server. The items in the hash would change position randomly and be mixed up with a group of random pictures. Kindof like a PIN in ATM machines, but using images instead and not having a fixed position on the screen.

Greg

@greg sending an md5 of the password to your server means that you have injected additional weakness. In fact its exactly the same as storing the raw text password.

Your Answer

Think you can help? Login to answer this question!