There is an application like chat. On the server there is a database where passwords (hashes) and logins are stored. What is the best way to organize a login? I can save the username and password in the user database (sqlite), and then substitute it, but I don’t really like it, because you can easily hijack the data. You can somehow encrypt, but knowing the algorithm, you can decipher. What is the best way to do? Where is the safest store?

The same chrome is just outrage. Passwords are encrypted using the standard method, which makes it easy to steal them.

1 answer 1

In general, this task is unresolvable - any information available to the client is potentially accessible to the attacker. You can only increase the cost of a potential attacker to obtain information.

For a start, a good base64 conversion of a password might be a good idea. A bunch of incomprehensible beeches in itself can scare an intruder.

However, even a frightened attacker can simply copy the password to himself and use your own program. Therefore, the next level of protection is to encrypt the password with any symmetric algorithm, and keep the key in a different place. In this case, the attacker will first have to find where the key is stored in order to use the stolen password.

Last line of protection - instead of a password, you need to store a special token issued by the server after authorization. With this token can be associated with a certain minimum set of rights required by the application, elevation of rights - only through a second password request.

Thus, the attacker who stole the token will be able to write to the chat on behalf of the user - but will not be able, for example, to change his password and thereby hijack the account permanently.

  • "Thus, the attacker who stole the token" this token can, in addition, be tied to the user ID in the system, then the attacker can write on behalf of the user only from his computer. - Alekcvp
  • @Alekcvp Well, that was the second item. - Pavel Mayorov