

Easy User Authentication For Mobile Developers - janaboruta
http://www.stackmob.com/2011/10/easy-user-authentication-3/

======
bigiain
"Also, we encrypt user passwords on our servers and we never return a password
in the result of any query."

Queue a link to _that_ bcrypt article...

I wonder if they've got a reason not to only store a hash? And if so, I wonder
if they've got infrastructure secure enough to store your users passwords in
an apparently retrievable form?

(I quite like Mozilla.org's guideline of storing the hashes in he database and
the salts in the filesystem, to help ameliorate the consequences of an SQL
injection attack...)

~~~
jordanrw
Hi, thank you for your inquiry. I'm one of the StackMob engineers that worked
on this feature. The encryption is one-way and we are storing a hash only
using bcrypt. We will update the post ASAP to be more clear.

~~~
bigiain
Good to hear. Thanks for the response.

I'd be interested to hear about your timeframe for "forgotten password" and
"password reset", it's not really up to a "minimum viable product" without
that.

~~~
glenngillen
A previous employer took 10 years to implement both of those, and was very
profitably in business during that time.

You'd be surprised what can constitute a "minimum" viable product.

------
buro9
A question I'm struggling with at the moment for my own project, is whether
allowing the password to pass through the hands of a third party developer is
even wise?

------
dustineichler
1\. Should you even bother using this if you can't implement NSURLConnection
based authentication. No. 2. The point of this is lost on me. Why would I use
this?

------
claus_z
Seems in part very similar to parse.com

