How to store passwords offline

Question

How to store passwords offline

Although this focuses on Windows Phone 7, I assume this principle is universal. I would like to have a password protected zone in my application. However, my application is completely disabled, so I will need to store the credentials on the phone. My initial idea is to store a password and salt hash. Would this be the best way? If so, should the hash and salt be stored as plain text, or is there a way to make sure that even they are encrypted? I understand that with the whole circuit over the phone it will eventually be cracked, but what would be the best way to raise the barrier? thanks for any suggestions

+2

security c # passwords windows-phone-7 hash

XSL Sep 19 '10 at 18:56

source share

3 answers

Personally, I would encrypt passwords with a salt based on the unique identifier of the device (and, if possible, user input, like a very short password [dog, cat, bean]), such a thing).

Just an offer. Please do not reduce it if you do not feel its best.

+2

Tim green Sep 19 '10 at 18:59

source share

I would just keep MD5.

-2

thelost Sep 19 '10 at 19:08

source share

Matt lacey · Accepted Answer · 2010-09-20T08:55:22+0000

Yes, you must keep the hash of the password and salt. If you were not comfortable storing them in plain text, you could also encrypt this data symmetrically. But then you will also need to store a symmetric key.

When deciding which approach to take, consider the meaning of what is protected / secure and the time it takes for encryption / decryption (althoug). I doubt this will be a problem in your circumstances.)

As you mentioned, it is also important to remember that security is a process, not something you can do once and forget. It is important to periodically check safety practices and constantly update information on changes in best practices and violations.

Nevertheless, I hope that the date security on the phone will be good for many months.

How to store passwords offline

More articles: