
Storing passwords in an app - jamesjyu
http://bynomial.com/blog/?p=148
======
mukyu
"Private key" normally means asynchronous cryptography and digital signatures,
however this is talking about synchronous cryptography, secret keys, and HMAC.

It starts with trying to authenticate that messages really came from the app
and then it drifts off into talking about verifying passwords (which actually
seems to be more about serial numbers/defeating keygens). It also suggests
using AES in one paragraph and then later suggests making your own encryption
function(!) shortly thereafter.

The only thing these techniques will get you is the difference between someone
finding your static key with strings(1) and spending 5 minutes in IDA. If you
are trying to do any of these things you are probably better off going back to
what you are trying to accomplish and working from there instead of "how do I
give and not give them the key at the same time".

------
btilly
Better solution courtesy of patio11 at
<http://news.ycombinator.com/item?id=2623102>:

 _Then you move your code to the server and this never bothers you again. This
defeats piracy so well it works in China._

