Home/ Questions/Q 7408759
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-29T05:58:10+00:00

My program asks a user to create a 4-digit passcode (much like the unlock

  • 0

My program asks a user to create a 4-digit passcode (much like the unlock screen built into the iPhone). The program will store the passcode and test it against a passcode entered at a later date and will deny or give access to a tableview of documents. I also need to store the passcode in iCloud incase another device wants to use the same database of documents. I do not need to store username information.

I’ve been reading about using keychain but this seems like a bit of overkill for my purpose. I’m a beginner to security and have no clue on what to do and what NOT to do. Can anyone point me in the right direction for what documents or tutorials I could read that would be appropriate for my application? Thanks for the help.

UPDATE

note about using keychain in reply to the answers below:

If I was to use keychain I’m under the impression from the apple docs that I would not be able to nor should I store the passcode on iCloud. This presents an interesting problem because storing documents on iCloud is an essential behavior of my application as users need to access the same set of documents which are protected by a passcode across multiple devices. How do I approach this problem? Is there a known secure way to work around this or would I have to totally abandon the use of keychain all-together?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Are you intending to do a simple string comparison as a pretend security measure or are you actually encrypting private data and just using a key that’s intentionally weak?

    Both approaches are valid but I assume your users expect the latter. (Would they be upset if someone read their data in plain text right out of the phone backup dumps?)

    If you’re actually encrypting their data with an intentionally weak key, then you definitely should use the internal keychain and probably use PBKDF2 to make a useful key based on the very short amount of secret data available to you. Any other approach is probably setting you up for embarrassing situations or outright hostile users. Let Apple manage as much as they can. (Do not store the key in iCloud.)

    Note that using keychain and PBKDF2 will still leave your user’s data open to pretty easy brute-force key guessing, but that must be expected with such short keys.

    • 0