views:

42

answers:

1

I have an application for Android which communicates with a Google App Engine (GAE) back-end. For authentication I have a user name and password, however I don't wanna store the plain text password on the client and transfer it in plain text on an insecure channel. So I was thinking of hashing the password when the users enters it the first time (registration or login) and store it hashed on the phone as well as on the GAE database. However, I'm not sure which cryptographic hash function to use, currently thinking about sha1(), and if I need to do something else or just a sha1(plainTextPassword).

Any recommendations?

+4  A: 

If you mean that you'll send the hash of the password from the client to the server, and compare it to a hash of the password stored at the server, this isn't secure.

Anyone who intercepts the hash can use it to login to your application. For your application, the hash is effectively a password. Password authentication requires a private channel to an authenticated partner, e.g. SSH or TLS.

One might argue that at least helps protect other accounts of the user that might share the same password, but one round of SHA-1 with no salt leaves a password very susceptible to rainbow tables and dictionary attacks. Use a key derivation function from PKCS #5 to properly obscure a password; 8 random bytes of salt and a couple thousand iterations are good parameters for PBKDF1.

erickson
Thanks for your answer. Yes, I actually meant to protect other accounts of the user. Will look into the other things you wrote.
znq