简体繁体 English

在android中存储不同的密码

[英]Store different passwords in android

原文 2011-06-25 07:27:35 9 2 java/ android

I am developing an android app that requires multiple default passwords to be stored. 我正在开发一个Android应用程序，需要存储多个默认密码。

Based on the password entered, the user will be shown different forms to be filled. 根据输入的密码，将向用户显示要填写的不同表格。

What is the best solution to store the default passwords if the number of default passwords are more say 10 to 20? 如果默认密码的数量多于10到20，那么存储默认密码的最佳解决方案是什么？

2 个解决方案

I see two possibilities: 我看到两种可能性：

Hash all passwords (together with a salt!) and store the hashes in the normal sqlite database. 哈希所有密码（连同盐！）并将哈希值存储在普通的sqlite数据库中。 Each time a user enters a password, you would generate the hash (with the salt) and look in the database if there is a mathing password hash. 每次用户输入密码时，您都会生成哈希值（使用salt）并查看数据库中是否存在密码哈希。 If no, no password was right. 如果不是，没有密码是对的。 If yes, you can look which of the passwords matched, and forward to the correct form activity. 如果是，您可以查看匹配的密码，并转发到正确的表单活动。 Note that only one hash has to be performed when the user enters a password, so you can use slow hashing algorithms. 请注意，当用户输入密码时，只需执行一个哈希，因此您可以使用慢哈希算法。
Store passwords in an (AES-)encrypted database, or in encrypted form in the normal unencrypted database. 将密码存储在（AES-）加密数据库中，或以加密形式存储在正常的未加密数据库中。 You can then always calculate the plain-text form of the stored passwords, for easier comparison. 然后，您可以始终计算存储密码的纯文本格式，以便于比较。 This approach has the downside that you would have to store a secret (key or passphrase) within your app (or get it from your server each time), which is easy to retrieve by decompilation - if these are sensitive passwords or you protect sensitive data, that would be a no-go. 这种方法有一个缺点，你必须在你的应用程序中存储一个秘密（密钥或密码）（或每次从你的服务器获取），这很容易通过反编译检索 - 如果这些是敏感密码或你保护敏感数据那将是一场禁赛。

I would prefer the first possibility. 我更喜欢第一种可能性。 Also, I would not use common MD5 as hashing algorithm, but at least SHA-512 or, even better, bcrypt. 另外，我不会使用普通的MD5作为散列算法，但至少使用SHA-512或更好的bcrypt。 Here is a good thread explaining why and how to do that on Android: Stackoverflow-Thread . 这是一个很好的线程，解释了为什么以及如何在Android上执行此操作： Stackoverflow-Thread 。 Basically, you must reckon that somebody will retrieve the sqlite database, and it's then very easy to find out weak passwords (with the help of rainbow-tables) if fast hashing algorithms (eg MD5) have been employed. 基本上，你必须认为有人会检索sqlite数据库，然后很容易找到弱密码（在rainbow-tables的帮助下）如果使用了快速哈希算法（例如MD5）。 Password salts do help, but only against google attacks . 密码盐确实有帮助，但仅限于谷歌攻击。 Bcrypt hashes (+ salt!) are much slower to generate (which is good), making even weak passwords hard to crack. Bcrypt哈希（+盐！）生成得慢得多（这很好），甚至弱密码难以破解。