The Design of Software (CLOSED)

A public forum for discussing the design of software, from the user interface to the code architecture. Now closed.

The "Design of Software" discussion group has been merged with the main Joel on Software discussion group.

The archives will remain online indefinitely.

How to store passwords?

My app needs to access POP3 mailboxes and it needs to store the passwords. Obviously this should be done in a fairly secure way.

I have never dealt with this kind of issue and I am wondering how this is done usually.

Are there any encoding libraries out there?
Max
Friday, April 15, 2005
 
 
Use a one-way, repeatable encryption algorithm such as SHA or MD5. One-way means that it can only be encrypted and that there is no algorithm for decryption. Repeatable means that the any given input string will always result in the same encrypted string.

When the password is initially stored, you run it through the algorithm and store the encrypted string in the password field of your database or whatever.

When a user tries to authenticate, you run the algorithm against their attempted password. Compare the attempted encrypted string against the stored encrypted string. If they match, the user has authenticated correctly. If they don't match, the password is wrong.
Lord Byron
Friday, April 15, 2005
 
 
That wouldn't work for POP3 boxes, Byron.
Shelley Send private email
Friday, April 15, 2005
 
 
I think the OP means to access other services (POP3) on behalf of users and needs to present the passwords to these other systems, not authenticating to his own system.
Just me (Sir to you) Send private email
Friday, April 15, 2005
 
 
The Sir is right. I need to be able to retrieve the password and pass it on to the POP3 server.
Max
Friday, April 15, 2005
 
 
What is the Windows equivalent of Keychain Services?

http://developer.apple.com/documentation/Security/Conceptual/keychainServConcepts/02concepts/chapter_2_section_1.html

Does every Microsoft application (IE, Outlook) implement its own password storage or is there a shared API that a developer can use?
Nate Silva Send private email
Friday, April 15, 2005
 
 
Just me (Sir to you) Send private email
Friday, April 15, 2005
 
 
That looks verry interesting. Thanks, Sir!
Nate Silva Send private email
Friday, April 15, 2005
 
 
By the way, one-way, repeatable methods are vulnerable to Dictionary attack.  Given an encrypted password, check it against a whole dictionary of encrypted passwords which use the encrypted version as a key to the plain-text version.

This is why it's so important to choose a 'good' password -- put a number in there somewhere, a special symbol or two.
AllanL5
Friday, April 15, 2005
 
 
The dictionary attack problem can be handled by using a "salted hash" - instead of running the hash function over the password, run it over password + random stuff (the salt).

Then you store both the salt and the hashed result.

This way, even if two people have the same password they'll still have different hash values.
Chris Tavares Send private email
Friday, April 15, 2005
 
 
A salted hash doesn't prevent dictionary attacks, only complicates them.  If there's 256 possible salts, for example, a dictionary has to have all 256 possible encrypted versions of the password instead of just one.

Unless the attacker can access wherever you're storing the salt, then it doesn't make a whole lot of difference.  (It still makes it harder to pre-compile a dictionary, but won't be of benefit against "on-the-fly" attacks.
Michael Chansky
Sunday, April 17, 2005
 
 
DPAPI is the way to solve this in Windows. Unfortunately you can't make it actually secure without some truly secret piece of data stored outside of the system. So if you can't have the admin type a password at startup all you're doing is encoding the password. With DPAPI this will protect against someone reading the registry remotely. If the can run code on the app's machine they will be able to decrypt your password.
igor Send private email
Friday, April 29, 2005
 
 

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
 
Powered by FogBugz