0

I understand that using salted hashing is the preferred method to save passwords in a database. However this works only when for interactive purposes. For example,

  1. User uses an registration form to fill passwords which is then saved as salted hash entry in the database.
  2. Next time when logs in with a password, the hashed value of it is compared against the database entry.

So far so good. What if I want to automate this login itself? ie., instead of user entering the password in an online form to submit the login password, I want to store the password somewhere in my local machine so that I may use it for automated authentication in the login form. The trouble is, I can't use salted hashing here as it is one-way and hence I need to go for encryption. If I choose encryption, I need to use a secure key to decryption which again must be stored somewhere. If I need to encrypt, how do I do this securely? If not, what is the best method. Is there a best practice for this sort of thing?

I have seen some failed implementations which have been cracked. SQL developer for example, https://stackoverflow.com/a/3109774/350136

Community
  • 1
  • 1
toddlermenot
  • 1,588
  • 2
  • 17
  • 33

1 Answers1

1

Mac OS X & iOS have the Keychain for saving credentials.

If you can't store credentials securely, use a token that can be revoked.

"Remember me" cookies & app-specific passwords are the same concept.

  • Thank you, Keychain is interesting but it is for OS X. Is there any cross platform solution? – toddlermenot Jul 13 '15 at 04:10
  • @toddlermenot Not sure what's available for other platforms. There's some discussion on StackOverflow for [Windows](http://stackoverflow.com/questions/442923/windows-equivalent-of-os-x-keychain) & [Android](http://stackoverflow.com/questions/1925486/android-storing-username-and-password). –  Jul 13 '15 at 20:14