How mobile app saves user passwords

<span style= "FONT-SIZE:14PX;" > For a better user experience, mobile app clients typically save user information so that they can automatically log in later .</span>

Saving user information involves a security issue.

There are several ways to solve this:

1. First, if both the client and the server are you to design the development, then there are two more reliable scenarios

A. The client will encrypt the password hash and save the hash value to SQLite after the login is successful. The server obtains the user name and the hash value, uses the same algorithm to hash the password, then compares with the user's hash value, The login is successful. More reliable is to encrypt the password with salt. For example, you can use PBKDF2 to add salt encryption.

<span Style= "FONT-SIZE:14PX;" >public static string CreateHash (string password) throws NoSuchAlgorithmException, Invalidkeyspecexception {return CreateHash (Password.tochararray ());} /** * Returns A salted PBKDF2 hash of the password. * * @param password * The password to hash * @return A salted PBKDF2 hash of the password */public static stri Ng CreateHash (char[] password) throws NoSuchAlgorithmException, invalidkeyspecexception {//Generate a random Saltsecurerandom random = new SecureRandom (); byte[] Salt = new byte[salt_byte_size];random.nextbytes (salt);//Hash the PA Sswordbyte[] hash = PBKDF2 (password, salt, pbkdf2_iterations, hash_byte_size); return pbkdf2_iterations + ":" + tohex (salt ) + ":" + tohex (hash);} </span> 

The encrypted string is 1000:1507039DE0A3C2C88DDF896233278E37D05FD8A0FADC570D:99222374678D4AFE5D7D9BF9BE4786E17F045AC217C6A2CA ,

1000 is the number of iterations, followed by the salt and hash values.

After the server gets the string, it parses the number of iterations, salt,hash1 the value, and then uses the same algorithm to calculate the password inside the database.

public static Boolean ValidatePassword (string password, string correcthash) throws NoSuchAlgorithmException, invalidkeyspecexception {return ValidatePassword (Password.tochararray (), Correcthash);} /** * Validates a password using a hash.  * * @param password * The password to check * @param correcthash * The hash of the valid password * @return True if the password is correct, false if not */public static Boolean ValidatePassword (char[] password, String Co Rrecthash) throws NoSuchAlgorithmException, invalidkeyspecexception {//Decode the hash into its parametersstring[] params = Correcthash.split (":"); int iterations = Integer.parseint (Params[iteration_index]); byte[] Salt = Fromhex ( Params[salt_index]); byte[] hash = Fromhex (Params[pbkdf2_index]);//Compute The hash of the provided password, using the SA Me salt,//iteration count, and hash lengthbyte[] Testhash = PBKDF2 (password, salt, iterations, hash.length);//Compare th e hashes in constant time. The password is CorreCT if//both hashes Match.return slowequals (hash, testhash);} 

if HASH2 and hash1 are consistent, the login succeeds. At the same time, the client saves the encrypted string to the local database and reads directly from the database the next time it logs on .

B. Encrypt the password using an asymmetric encryption algorithm.

1. The client encrypts the password with the public key, obtains the encrypted string, and sends it to the server.
2. The server uses the private key to decrypt the password, verify it,
3. After the login is successful, the client saves the encrypted string to local, which is convenient for the next automatic login;

using asymmetric encryption is a reliable way to get a password even if the encrypted string is compromised.
2. If you are only in charge of the client and are powerless on the service side, then you may only use symmetric encryption. (if you are writing a client for the school library, you also want to set up automatic login, you can only use symmetric encryption locally, save the encrypted string locally, and then the next time you log on automatically, remove the encrypted string from the database and then decrypt ...) The service side only recognizes the original password) in this case, you can only consider how to generate the encryption key, and how to save the key and how to confuse it. a method was considered: Add decryption Function des (passwd,key,encode); str1 = des (Passwd,key,encode); str2 = DES (Key,str1,encode); Save the STR1:STR2 in the local database. when decrypting, str2 the key with str1 decryption. then, STR1 is decrypted with key to get passwd. Asymmetric encryption can only increase the strength of the password in such a logical degree of complexity.

Another reference article: http://blog.csdn.net/hengyunabc/article/details/34623957

How mobile app saves user passwords