Protecting user passwords in desktop applications (Rev 2)

Question

I\'m making a twitter client, and I\'m evaluating the various ways of protecting the user\'s login information.

IMPORTANT: I need to protect the user\'s data from ot

Answer 1

Store it in plain text and let the user know.

That way, there are no misconceptions about what level of security you have achieved. If users start complaining, consider xor'ing a published-on-your-website constant onto it. If users keep complaining, "hide" the constant in your code and tell them it's bad security.

If users can't keep bad people out of the box, then in effect all secret data they have is known to Dr. Evil. Doesn't matter whether it's encrypted or not. And if they can keep evil people out, why worry about storing passwords in plain text?

I could be talking out my ass here, of course. Is there a study showing that storing passwords in plain text results in worse security than storing them obfuscated?