Revision history [back]

click to hide/show revision 1
initial version

How to avoid plain-text passwords storage on server with ALLJOYN_SRP_LOGON mechanism

Hi,

As I understand, in order for the AJ server to employ user name/password authentication mechanism (ALLJOYN_SRP_LOGON) it is required to know, and thus to store, plain text user names and passwords on server which is a bad practice. Based on Credentials class description, it is necessary to provide UserName and Password directly during authentication process (in RequestCredentials callback).

The question - how it is possible to avoid plain-text passwords storage on server side in AJ?

There is a Credentials::SetLogonEntry() method available, but there is no any single usage example and I'm also not sure if it solves the issue, because some of N:g:s:v parameters seems to be session-specific (salt?) and also can not be permanently stored.