HomeDaemon-MCP and Passwords

Authentication data, that is a login and password, should never be stored in an extractable form. Period.

Yet these sorts of credentials are stored in mobile apps and other uses all the time. It's a bad practice that can lead to serious problems, as many people have discovered.

HomeDaemon-MCP stores its passwords hashed and salted, that is, "irreversibly" corrupted in a fashion that makes it impossible for someone who steals the controller itself to obtain the actual password. The system can verify that you typed the correct password because the "hashed" value will match -- but it has no way to reverse the hash and retrieve the original characters.

The Android app never stores a password either. Instead when you sign in, as when you do so on the web page interface, the app gets a "Cookie" that is simply a cryptographically-strong random number associated with your login ID that is generated at the time of the sign-in. It is valid for whatever period you select when you configure the system, after which it expires.

Further, for each command the system generates a one-time use cryptographic key that is linked to your login cookie and returns it with each successful command that is passed to the system. That key is only good for one use and one command which makes attempting to attack the system by "forcing" commands into it, even if a cookie has been intercepted, worthless since the cryptographic key will not match.

Finally, should you have reason to believe your session has been compromised if you log out or change your password from any device (e.g. you sign into a web browser from somewhere else and then click "logout") ALL instances of your session under that login ID are immediately revoked. Thus if you were to lose your cellphone, it had the app running on it and you were concerend someone might be able to break into the phone signing into HomeDaemon-MCP from a web browser anywhere and then logging out would serve to immediately sever the connection not only to that browser but to the app as well.