I have to say, in my case, the app doesn't have sensitive information. In fact, I let anyone view the information without a password. They only need a password to change information. It is nothing sensitive. In other words, I am not protecting anything especially secret. I think my protection should be reasonably safe but it doesn't have to be ultra safe. It can be likened to logging on to Wikipedia. Does that change things? If so, what are the set of reasonable steps?
The user's password is holy. As Thomas said you never know how often that same password is used by the user. The only thing allowed is to transfer the password to your server using SSL and create a hash of the password using PBKDF2, bcrypt (preferred) or scrypt for your DB (with a good salt and a reasonable amount of cost to make hashing slow. You don't want MD5/SHA1). If you do anything else with it you are a bad guy ;-)
If your app doesn't have sensitive information then implement a "remember me for 2 weeks" checkbox. Other than that you should follow your original approach and let the browser/password manager ask the user to store the password.
-- J.
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at http://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.
No comments:
Post a Comment