On Thu, Sep 13, 2012 at 01:49:42PM -0700, bob wrote: > > 1. The comparison of the username and password is case-sensitive, which it > probably shouldn't be (*maybe* for password, probably not for username)
Just FYI: I have never seen a case where the password is NOT case sensitive (that would be a very bad thing). I take that back...I do remember one system, and to make it worse, it used randomly-generated passwords (that forced people to write them down), ALL UPPERCASE, and only letters ... nothing else. A script kiddie would take about 5 minutes with crack to break that. Likewise, usernames are generally not case-sensitive, with one exception that may not exist anymore: Unix variants (including Linux). At least in the past, if you logged on with all uppercase letters, the system would assume that you were on a terminal that did not support lowercase, and everything would be uppercase (so if you turned the caps lock key off, you had to turn it back on to enter any commands). > 2. The passwords are stored insecurely in the database, whereas an MD5 > hash would be preferred. Does the Android platform have any support for the usual password handling like Unix's? That would be the most secure way to go. In Unix (and variants), when you enter a password, it's encrypted, part of the encrypted data is deleted, encrypted again, modified again, and so on for some number of times. The encrypted password can not be reversed. So when you log in later, the two encrypted versions are compared, and if they match, you get logged in. I used to know the rest (the way it was modified), but have long since forgotten. It's an expensive password routine, but it's also as secure as the password used by the user (which is usually really bad, from what I used to see long ago, when I, as the admin, ran crack on my users' passwords all the time). If it's available in the SDK, that's what I would recommend...just my $10 worth (inflation, you know), though. Later, --jim -- THE SCORE: ME: 2 CANCER: 0 73 DE N5IAL (/4) MiSTie #49997 < Running Mac OS X Lion > [email protected] ICBM/Hurr.: 30.44406N 86.59909W Seen in alt.sysadmin.recovery: "Priceless; that's better than telling him to use the Read Manual command with the Real Fast option." Android Apps Listing at http://www.jstrack.org/barcodes.html -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
