4

I need my application to be able to remember a user's username and password so that in the future the user doesn't have to enter it again.

Obviously, in order to "remember" the username and password for future use, this means my application will have to store the username and password to disk in some way.

How is this typically done? I know that Pidgin stores the username and password in plain text. I'd like to avoid this if possible. Is there a better way?

EDIT: The platform I'm targeting is Windows.

WonderRed
  • 41
  • 2
  • what platform are you targeting? GNOME has GNOME Keyring that stores passwords encrypted, and by default it is unlocked when the user logs in (using their login password via pam hooks). KDE has KWallet, which IIRC works much like the GNOME thing (and the two may even implement each others API). I believe MacOSX has something similar. I don't know about Windows. – Spudd86 Jun 02 '11 at 20:47
  • @Spudd86: Hi, I'm targeting Windows. – WonderRed Jun 02 '11 at 21:01

2 Answers2

4

First, be aware that no method of storing names and passwords locally is going to be secure. Obfuscating and/or encrypting (which I would consider mandatory) will defend against casual snooping, but the data must still be decipherable locally to be useful, and that process can be replicated by a determined hacker. You should always give the user the option of opting out (or opting in) to this scheme. (This is what browsers typically do.)

If you are using the name/password to communicate to a server, a better approach is to obtain an identity token from the server upon successful login and store that locally. That way, even if the encryption is broken, the user's login credentials are not compromised (although access to the account may be, at least until the token is revoked).

EDIT: Since you're targeting Windows, consider using the Data Protection API.

Ted Hopp
  • 232,168
  • 48
  • 399
  • 521
  • As I noted in my comment, there may be a storage solution that will be secure as long as the user is not logged in available depending on the target platform. – Spudd86 Jun 02 '11 at 20:52
0

Assuming that you need to store credentials for an external service, such as storing an email account username and password, your only option for secure local storage is to encrypt relevant credentials before writing them to a file.

What method you choose for encryption is a question in it's own right.

Focus your attentions on selecting an encryption mechanism that cannot be brute forced in a reasonable amount of time and selecting an encryption mechanism that permits a straightforward means of setting and changing the key length.

Jon Cram
  • 16,609
  • 24
  • 76
  • 107