I am developing an android app that requires multiple default pa开发者_StackOverflow社区sswords to be stored.
Based on the password entered, the user will be shown different forms to be filled.
What is the best solution to store the default passwords if the number of default passwords are more say 10 to 20?
I see two possibilities:
- Hash all passwords (together with a salt!) and store the hashes in the normal sqlite database. Each time a user enters a password, you would generate the hash (with the salt) and look in the database if there is a mathing password hash. If no, no password was right. If yes, you can look which of the passwords matched, and forward to the correct form activity. Note that only one hash has to be performed when the user enters a password, so you can use slow hashing algorithms.
- Store passwords in an (AES-)encrypted database, or in encrypted form in the normal unencrypted database. You can then always calculate the plain-text form of the stored passwords, for easier comparison. This approach has the downside that you would have to store a secret (key or passphrase) within your app (or get it from your server each time), which is easy to retrieve by decompilation - if these are sensitive passwords or you protect sensitive data, that would be a no-go.
I would prefer the first possibility. Also, I would not use common MD5 as hashing algorithm, but at least SHA-512 or, even better, bcrypt. Here is a good thread explaining why and how to do that on Android: Stackoverflow-Thread. Basically, you must reckon that somebody will retrieve the sqlite database, and it's then very easy to find out weak passwords (with the help of rainbow-tables) if fast hashing algorithms (e.g. MD5) have been employed. Password salts do help, but only against google attacks. Bcrypt hashes (+ salt!) are much slower to generate (which is good), making even weak passwords hard to crack.
There are many storage options available in android. See this
If the data is limited then you can go for preferences.
精彩评论