Hey. Although this is focused on Windows Phone 7, I guess the principle is universal. I would like to have a password protected zone within my app. However, my application is completely offline and so I will have to store credential details on the phone. My initial idea is to store a hash of the password and the salt. Would this be the best way to go? If so, should the hash and salt be stored in plain text, or is there a way to ensure that even they are encrypted? I understand that having the entire scheme on the phone will eventually be cracked, but what would be the best way to raise the barrier? thanks for any suggestions
Personally, I would encrypt the passwords with a salt that is based on a unique ID of the device (and, if possible, some custom user input like a really short password [dog, cat, bob] - that kind of thing).
Just a suggestion. Please don't downvote it if you don't feel it's the best one.
Yes, you should be storing a hash of the password and the salt. If you were uncomfortable storing these in plain text you could symmetrically encrypt these details also. But then you'd have to store the symmetrical key somewhere also.
When deciding which approach to take, consider the value of what is being secured/protected and the time it will take to encrypt/decrypt (althoug I doubt this will be an issue in your circumstances.)
As you mentioned, it's also important to remember that security is a process and not something you can do once and forget about. It's important to review security practices periodically and keep up to date with changes in best practices and breaches.
That said, I do hope that the security of the date on the phone will be good for many months at least.