So In my app (iOS), you have to register in order to use the service (a food service). But in order to change details about your account (username, password, and email), you have to reenter your password. Except for if the user logged out, this is the only time you need your password to use the app. So I was wondering, since the user basically never uses their password, and its likely they would forget it the one time they might need it, is it ok if I store their password to their local device (in NSUserDefaults)?
Since their password would only be on their local device, it doesn’t seem like a security risk. If the app was hacked, the only password they could get would be their own.
Further, I was planning on just storing it as a string (no encryption). Would it make a difference if I hashed it or encrypted it before saving the password to their defaults?
Thanks in Advance.
Use KeyChain to store passwords. I learned how to do that using this link and the KeyChainItemWrapper class can be found here
I don’t think you need to encrypt that if you use a KeyChain. Also, NSUserDefaults are not suggested for storing passwords.
1
Users tend to stick with 1 or 2 passwords. If the app was hacked by another app, then having the user’s password from your service might grant access to other more sensitive resources besides your food service. A better method may be to store some sort of long term authentication token on the phone than the password itself. That token could be tied to the user’s account information on the server, thus allowing the user to enter their password just once while keeping his or her password secure.
Depending on the circumstances you could use the Keychain.
There are some advantages of using the keychain, and things like UICKeyChainStore and STKeychain make it pretty simple to implement.
Features to be aware of are:
- Your other apps can access the same information if you choose to make it so.
- Information persists after the app is removed, so it can be used by other apps or if the user reinstalls.
1