Flash shared object (cookie) - Safe to store password?

I'ld like to use the Flash AS3 shared obj开发者_如何学编程ect ("Flash cookies") to store a password in. Is it safe by default or do I need a technique to encrypt it?

I couldn't find informations about anybody can lookup what shared objects are set by Flash and what content is inside. Any information is pretty welcome. Uli

A general rule is that anything stored on the client can be lifted from the client unless some form of shared encryption is used (HTTPS, for example). With Flash, this is doubly true -- Flash is very simple to decompile and SharedObjects work while offline, which means that if you can spoof the site of origin, you can read the object. It would take me about 30 minutes, but I suspect I could render every shared object on my machine as a human-readable JSON.

If you must store a password or username on the client, then store it in some form of one-way encryption like SHA or (if you're in a bind) MD5. The as3crypto library is here. But, remember, someone client-side can still grab that value and copy it to another machine.

A couple of asides: SharedObjects are not new in AS3. I remember using them in legacy AS2 libraries. Second: there is little to be gained by use of SharedObjects I've found them inconsistent between IE and the rest of the world. Of course, with Flash Projector, they are your only option. Another benefit of cookies is that cookies are far easier to secure as they can be validated server-side with two-way encryption. Definite bonus.

Don't save passwords on the client! Though it's also unsafe you could use a checksum: How to calculate CRC checksum in Actionscript 3?

Flash cookies are Local Shared Objects and they are saved as binary .sol files.