Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Let’s say we have a client and a server. If the client wants to “connect” to the server, it needs to provide a password (in plaintext, transmitted over https). If the client were to remember the password, it open a whole lot of vulnerabilities. Are these avoidable?
I assume you mean if the server were to remember the password. The client remembering the password is a direct trade-off between convenience and security, not much to discuss there.
Run the password through a “hash”. This is, essentially, a one-way process – you can get from the password to the hash, but not the hash to the password. On the server side, you only store the hash. When someone wants to authenticate, take their password, hash it, and compare it to your stored hash. You do not have to store the password in plaintext this way.
This is very basic password handling stuff. There are some subtlties to getting it right. There’s some discussion about a c# implementation here: Hash and salt passwords in C#
If you do mean the client remembering the password, you still don’t need to store the password itself. Authenticate with the server and have it return a token which expires after a certain time. This token is good as a credential for logging in while it’s valid. Your client only needs to store the token.