0

I have my site's passwords hashed with mysql's password() function. I would prefer to hash the login password on the phone before putting it in the url to access the server. I would prefer to store it on the phone this way, too. I see that someone has a function for md5 out there. Is there one for this?

regards and thanks.

Nelson
  • 11
  • 1

3 Answers3

1

Although I haven't seen any Objective C MySQL PASSWORD() implementations, you might want to consider an alternate mechanism. For example, if you are attempting to obscure the password you could do something like an XOR on it with a prior known or computed value. Not high security but protects it somewhat in transit. A better approach may be to use a symmetric key encryption algorithm and encrypt it on client side (iPhone) and decrypt it on server side. You can use standard ones like 3DES, AES, Blowfish, and so forth for this. Again a shared secret must be defined, but then the server would be able to call PASSWORD() on the decrypted value in order to get the hash for validation.

Using HTTPS would also be a good consideration, no matter what solution you are using.

pauld
  • 41
  • 2
0

this covers md5 on iphone . Using MD5 hash on a string in cocoa?

Community
  • 1
  • 1
madmik3
  • 6,975
  • 3
  • 38
  • 60
  • hi, I was looking at this, thinking that MD5 was the same as the password() function in MYSQL, but alas it isn't. I already have the passwords hashed in the database, so I either have to hash it with the same function on the phone or the server again. thanks! – Nelson Feb 01 '11 at 23:23
0

The short answer: you're not supposed to use the MySQL PASSWORD() function in your application.

Paul is correct - when protecting against man-in-the-middle attacks, you have two options:

  1. Obfuscate the users passwords (which you were attempting to do by hashing on the client-side)
  2. Encrypt traffic (using HTTPS)

Protip: number 2 is the only reliable thing to do.

TehShrike
  • 9,855
  • 2
  • 33
  • 28