Protecting user passwords in desktop applications (Rev 2)

Question

I\'m making a twitter client, and I\'m evaluating the various ways of protecting the user\'s login information.

IMPORTANT: I need to protect the user\'s data from ot

Answer 1

Upon further contemplation I think I found a way. I will use ASP.net authentication for my application desktop application, store their credentials online and let Internet Explorer's password manager handle the local caching of this secondary pair or credentials for me.

I will just have to have them authenticate through a Facebook-API like form during the first login.

Answer 2

Store it in plain text and let the user know.

That way, there are no misconceptions about what level of security you have achieved. If users start complaining, consider xor'ing a published-on-your-website constant onto it. If users keep complaining, "hide" the constant in your code and tell them it's bad security.

If users can't keep bad people out of the box, then in effect all secret data they have is known to Dr. Evil. Doesn't matter whether it's encrypted or not. And if they can keep evil people out, why worry about storing passwords in plain text?

I could be talking out my ass here, of course. Is there a study showing that storing passwords in plain text results in worse security than storing them obfuscated?

Answer 3

I don't get it... why is encryption no good? Use a large key and store the key in the machine key store (assuming Windows). Done, and done.

Answer 4

I think you are missing the bigger picture here:

If the desktop is compromised, you're F#*%ED!

To steal a password from your program, a virus would have to be running on the system as administrator. If the virus has achieved that, stealing passwords from your program is way down on it's list of malicious things it wants to do.

Answer 5

This is a catch-22. Either you make the user type in his password every time, or you store it insecurely (obfuscated, encrypted, whatever).

The way to fix this is for more operating systems to incorporate built-in password managers - like OS X's Keychain. That way you just store your password in the Keychain, the OS keeps it secure, and the user only has to type in 1 master password. Lots of applications (like Skype) on OS X use Keychain to do exactly what you are describing.

But since you are probably using Windows, I'd say just go with some obfuscation and encryption. I think you may be slightly paranoid about the password-stealing-bots; if your application doesn't have a large userbase, odds are pretty low that someone will target it and specifically try to steal the passwords. Besides that, they would also have to have access to their victim's filesystem. If that's the case, they probably have a virus/worm and have bigger problems.

Answer 6

OSX: Use the Keychain

Windows: Use CryptProtectData and CryptUnprotectData

Linux: Use GNOME Keyring and KDE KWallet