Let's say we have a client and a server. If the client wants to "connect" to the server, it needs to provide a password (in plaintext, transmitted over https). If the client were to remember the password, it open a whole lot of vulnerabilities. Are these avoidable?
Asked
Active
Viewed 351 times
1 Answers
2
I assume you mean if the server were to remember the password. The client remembering the password is a direct trade-off between convenience and security, not much to discuss there.
Run the password through a "hash". This is, essentially, a one-way process - you can get from the password to the hash, but not the hash to the password. On the server side, you only store the hash. When someone wants to authenticate, take their password, hash it, and compare it to your stored hash. You do not have to store the password in plaintext this way.
This is very basic password handling stuff. There are some subtlties to getting it right. There's some discussion about a c# implementation here: Hash and salt passwords in C#
If you do mean the client remembering the password, you still don't need to store the password itself. Authenticate with the server and have it return a token which expires after a certain time. This token is good as a credential for logging in while it's valid. Your client only needs to store the token.
Community
- 1
- 1
Ben Graham
- 2,089
- 17
- 21