Good day. Having added (finally) my client for the site, I wondered how to store user passwords ... How secure is the storage of cookies and passwords in

getSharedPreferences("LoginPreferences", Context.MODE_PRIVATE)

How can you protect yourself against password theft?

    4 answers 4

    Do not store passwords. That is, it is impossible neither in the code, nor in the preferences, nor in the database, anywhere else at all.

    With one small clarification: you can if the password is encrypted. But the question immediately arises: where to store the password from the cipher with which the password is encrypted and the circle closes :)

    But not everything is so sad. There are 2 approaches:

    1. The most correct way: to store password hash and separately (if it is required) salt to the password.
    2. Encrypt the password itself, and as a password to the cipher, which encrypts the password, use the device ID, MAC address, SIM card ID, and so on. In general, to bind the encrypted contents of the password to the device, so that when a data leak is impossible to decrypt the password.
    • @Barmaley ♦, but they keep the same !!! The same Mozilla (Tools-> Options-> SavedPasswords ...) - avp
    • one
      @avp Yes, Mozilla stores and bastard does not even encrypt after all - it just encodes in base64 and that's it :) Well, if only the user himself did not set the master password with which the passwords will be encrypted. Mozilla does not store the password as it should be. So everything is correct. Do not be like Mozilla! - Barmaley

    I understand that you want to organize automatic authorization so that the user does not enter the password once again !? Maybe for this purpose it is better to use a mechanism like "remember me" and store not the user data, but the hash that the server will give out? If of course there is such an opportunity

    • Unfortunately, there is no such possibility - PhoEn-X

    Storing a login / password bundle in SharedPreferences will not give you maximum security, but it is safer to save to a file.

    But data lines can be encrypted using this method. And on the advice of @Lookingfor, you can get the Secret key for encryption from the server, because if you put it in the APK, then it can be decompiled and viewed. Although I am sure that no one will do it.

      I think enough to keep in preferences