iPhone Authentication Password Encryption

What is the best way to handle encryption for passwords?

I'm trying to send a password via a NSURLRequest. The passwords are encrypted at the database level on the server.

1. Should I send the password over as clear text and then when it reaches the server, encrypt the pass开发者_C百科word and then check if this password matches the encrypted password in the database.

2. Should I encrypt the password first and then just check this encrypted password matches the encrypted password in the database?

You should never send a password over an unsecured plain HTTP connection.

Using TLS (successor of SSL) as stated by j0k would be your way to go, if it's possible you should use it whenever possible instead of inventing your own schemes. If you simply use one-way TLS/SSL (i.e. only the server authenticates itself, client stays anonymous) then you will save yourself the trouble of handling symmetric encryption keys on the client side.

If you properly set up your TLS on the server then you may simply transmit the user credentials unencrypted. TLS as a protocol handles encryption on the transport level so you as a developer need not care about it any longer.

Another thing you should probably do is not storing the passwords in encrypted form, but just storing a salted hash of them (SHA-1 or something adequate) in your database. This way you'll never be in danger of compromising your user's passwords.

I would encrypt the password locally and then send it over to the server. You always want to limit passing around plaintext passwords, for security reasons.

Given how you're doing it, it doesn't really matter which approach you use. The comparative approach is exactly the same. If you're just comparing a string to a string, there's no difference between "foo" and its encrypted counterpart, e.g. "74$#4uc".

If you're looking for security, there are a few things you can do, but they're all going to require work. The simplest probably would be to post to the URL using SSL, if that's an option for you.