How can I implement password recovery in an iPhone app?_问答_开发者

How can I implement password recovery in an iPhone app?

开发者 https://www.devze.com 2023-03-15 23:59 出处：网络

I would like to add simple password protection in an iPhone App that I am working on. I will probably use crypt() to store the password in my database which in in CoreData / sqlite format.

相关专题：passwords

I would like to add simple password protection in an iPhone App that I am working on. I will probably use crypt() to store the password in my database which in in CoreData / sqlite format.

I think I have a pretty good understanding of how to create and store the password, but in case th开发者_运维百科e user forgets their password, I would like to add a password recovery ability

This is the part that I'm struggling with in iOS. I want everything to be local, so I can't think of a way to use a link to reset a password.

I had thought about emailing the password, but in iOS there is no way to send emails without the person holding the device seeing the contents of the email.

The only way that I can think of is to have one or two "backup passwords" which is basically the answer to a question of the user's choice (or maybe even just storing a reminder question along with the password).

Neither of these are really that secure, although the data being protected in my app is not that critical, so I'm not looking for the most robust solution (just a decent solution that is not too hard to implement, not too inconvenient for the user, and not too hard for a hacker to break).

Suggestions are greatly appreciated.

Thanks, Ron

Instead of recovering a password, you can prompt to reset a password using criteria that is set up when they initially create their account -- such as mothers maiden name, last-4, etc. This way, you don't need to worry about decrypting a password or sending it to the user. Once they answer enough security questions correctly, they are prompted to reset their password. You can store this data encrypted locally. You'll never need to send a password to the user.

The easiest way is probably to make "password protection" optional and display a warning ("if you forget your password, your data may be irrecoverable!").

It's not going to be that secure: The data is probably going to appear unencrypted in a phone backup, unless you encrypt it yourself. The upshot is that determined users can ask you for help, and you can write them a tool that digs through the unencrypted backup and resets the password.

Avoid the built-in crypt(), which is probably DES-based and limited to 8 ASCII characters. Storing the plaintext password in the keychain is not too terrible an option.