NetTalk Central

Author Topic: Password in the Settings Table  (Read 4499 times)

Rene Simons

  • Hero Member
  • *****
  • Posts: 650
    • View Profile
Password in the Settings Table
« on: May 05, 2019, 07:21:34 AM »
Hi,

When creating an app of some sort, at one time the user has to enter his/her credentials.
Think of a User name and a Password at least.

The Settings-table tab in the Activate Nettalk Web Server Window has an entry for the name of the password field in the Settings Table.
Now I have learned that storing passwords is a very bad habbit so I have doubts about storing the password in the Settings Table.
The settings Table is stored on the server, but also on the device.

Does this mean that the password is also on the device and is it un-encrypted?
Is there a relatively secure way to store the password in the Settings Table without the risc of it being exposed in some way?

Cheers,
Rene
Rene Simons
NT14.14

Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11250
    • View Profile
Re: Password in the Settings Table
« Reply #1 on: May 05, 2019, 11:12:58 PM »
Hi Rene,

So you have a range of options here, and it all depends on what you are doing.

a) perhaps your mobile app needs a user id, but not necessarily a password at all. So you could leave the field blank, and not use it. For example I have a "clockings" app - I need to ID the user, but a single "UserID" suffices. The user doesn't need a "password".

b) perhaps the app needs a password, but you will "remember" (aka "store") it on the device for them. (You should assume it's stored unencrypted). If the user loses the device, and the finder is able to run the app, then they will be logged in as the actual user. Terrible for a banking app, but probably just fine for a "driver on the road" type app.

c) perhaps the user needs to enter a password every time the app is used. Think banking app, or something like that. In this case, again, you won't use the Password field at all - you'll use a "memory form field" to capture that.

On the server side you again ave lots of options. Of course yes you should ideally not store the password. You should store a Salted Hash of the password. So in the syncDevices procedure you can take the incoming password value, sync, hash it, then store the result of that.

Lots of options - you just need to figure out which approach you best want to take.

cheers
Bruce