I hope this helps you . If it's not a HTTPS url then yes. If not it doesn't mean your account has been compromised yet but you're sending authentication information over an unencrypted channel... you're asking for it.
Security implications of storing a password in Settings.bundle and getting with CFPreferencesCopyAppValue
wish help you to fix your issue CFPreferencesCopyAppValue is just the Core Foundation way of accessing the same information you get when using NSUserDefaults. In terms of security, the features are exactly the same. That is, it's not encrypted. It's secure only in the sense that it's obscured. The "correct" answer is to use the keychain. The counter to that is that many applications use NSUserDefaults to store passwords. You could argue that unless the password controls access to information of any value then it's not worth the effort in trying to use the keychain. Which brings me to the second argument in favour of using a secure field in the Settings application: the keychain API is hideous and, in my experience at least, writing error-free code is tricky.
Security implications of storing the password hash along an encrypted AES key
I think the issue was by ths following , The password hash also needs to use a salt, otherwise dictionary attacks are possible and two users who happen to pick the same password will have the same hashed password stored in the DB. I would suggest this: Just use PKCS#5 twice; once to generate the hashed password (which you store in the clear), and once to generate the encryption key (which you do not).
What are the security implications (if any) of allowing any password?
Event Sourcing and password change security implications
wish help you to fix your issue Indeed, storing password inside events is a very dangerous thing to do but you have no real reason to store the password inside the event payload. In fact you may not even use Event sourcing for the UserCredentialsSubdomain or the entire AuthenticationDomain. If you still decide to use Event sourcing for the AuthenticationDomain (which is not necessarily bad thing), you don't need to store the password inside UserChangedPasswordEvent because you don't need the entire password history (hashed or cleartext) inside your Write model. The last password (or hash) is used only by the Authentication service to verify the identity of an user. No other Read model needs this; the use cases where you would need the recent password history (i.e. to not permit changing to an old password) can be implemented using a password log or something similar, you don't need Event sourcing for this. The UserChangedPasswordEvent could be useful, for example to show to the user the last date when the password was changed, but without containing the password itself.