pmorrill
commented
4 years ago Hi Robyn
The API runs over SSL, so we do not need to encrypt passwords during the authentication step.
However, I'd assumed that the Android / iOS package provides a secure password (account) management system, that you could leverage for the in-App password storage? I enter passwords to various accounts on my phone and they will show up under the settings => accounts details. Did you look into using that?
RobynVG
On our end we are currently storing passwords in plain text in our database. We are also sending passwords in plain text when querying the API.
I think it would be ideal if we hashed the passwords. This way we can send you the hashed password, you can hash the passwords on your end and compare.
I noticed previously when I reset my password on the website I was sent back my password by email. I just tried again and was asked to reset my password instead of being sent back my password. Maybe you already changed this on the website!?