I found out the hard way, after several hours of not being able to log in with users where I encrypted their passwords on the client-side that we should just provide the user-generated password to backendless. Is this accurate?
If this is accurate can you please add this to your documentation as well as the fact that passwords will not appear in the database?
If this is not accurate what was I doing wrong?
Hi Mike,
Sorry you had to spend time on this. When a user registers, the password value you submit should be the password value your app will use for authentication. If you do any additional “pre-processing” for the passwords for the “register” call, the same “pre-processing” must take place for the “login” call.
Aside from that, we hash and salt user passwords in our storage. The console never shows user password values (the password cells are always clear).
Does it answer your question?
Regards,
Mark
No problem at all. I was applying the same encryption on both login and registration but for some reason it wouldn’t work. When I removed the encryption from both it worked all of a sudden. I verified that the encryption produced the same string each time. Not sure what happened then.
Thanks for the insights.
There’s got to be some difference… The network protocol is encrypted by default (SSL), so passwords are never sent in clear text.
Regards,
Mark