hi all,
I know that storing passwords as cleartext in code is a bad idea. So what is the preferred method for using logins and tokens safely in my deployed app? I need to connect to online APIs and email servers.
congratulations, you’ve unlocked a tricky topic. see this for an extensive answer: c# - Best way to hide API key in source code - Software Engineering Stack Exchange
1 Like
Hi, this topic is really debatable, like if you store them as file, yes this is bad, however if you store them in patch, maybe there is way to decompile it and get the data. But you can store them as binary for instance, then the person would have to know that this is binary stream and it should be decided to this particular data type.
On top of that there is encoding options, like you can have it encrypted with some hash… But then you also have to store hash or your server should know the hash…
In web this done by having salt (random hash) and then a function that produces string from that hash and a password, the point of that that only that string is stored in database, and the when you give it password it checks hash if produced string same as in database you get auth token
In ansible they just encode passwords directly in repos Encrypting content with Ansible Vault — Ansible Documentation
I would say just store as binary that should be sufficient. But if you doubt check some binary encrypt.