I need my application to be able to remember a user's username and password so that in the future the user doesn't have to enter it again.
Obviously, in order to "remember" the username and password for future use, this means my application will have to store the username and password to disk in some way.
How is this typically done? I know that Pidgin stores the username and password in plain text. I'd like to avoid this if possible. Is there a better way?
EDIT: The platform I'm targeting is Windows.
First, be aware that no method of storing names and passwords locally is going to be secure. Obfuscating and/or encrypting (which I would consider mandatory) will defend against casual snooping, but the data must still be decipherable locally to be useful, and that process can be replicated by a determined hacker. You should always give the user the option of opting out (or opting in) to this scheme. (This is what browsers typically do.)
If you are using the name/password to communicate to a server, a better approach is to obtain an identity token from the server upon successful login and store that locally. That way, even if the encryption is broken, the user's login credentials are not compromised (although access to the account may be, at least until the token is revoked).
EDIT: Since you're targeting Windows, consider using the Data Protection API.
Assuming that you need to store credentials for an external service, such as storing an email account username and password, your only option for secure local storage is to encrypt relevant credentials before writing them to a file.
What method you choose for encryption is a question in it's own right.
Focus your attentions on selecting an encryption mechanism that cannot be brute forced in a reasonable amount of time and selecting an encryption mechanism that permits a straightforward means of setting and changing the key length.
来源:https://stackoverflow.com/questions/6220088/security-how-should-i-store-remember-a-users-username-and-password-for-fut