Hi, by now it seems to be common knowledge that passwords shouldn’t be stored in a database. Backend devs generally know to hash and salt and what-not their transmitted passwords. It seems to be well documented.
However, I wasn’t exactly able to find such a clear answer for client applications accessing e.g. web APIs. For example, lets assume you were to create a Lemmy desktop application with support for multiple accounts. Ideally, that software would work like a password manager and store its master password as hash only.
However(2), sometimes users like to start said application without entering their password. Like an Email client in pleb mode. Which requires the passwords to be stored somewhere. In this case, what is the best course of action?
Pretty much every OS has some solution to this called a keyring, e.g.:
- https://wiki.archlinux.org/title/GNOME/Keyring
- https://stackoverflow.com/questions/9221245/how-do-i-store-and-retrieve-credentials-from-the-windows-vault-credential-manage
These can be used to basically delegate that job to somebody else. They typically work by protecting the keyring contents with the user’s system credentials.
Thanks!
Ideally you should use the help from the OS. For example if you target Apple they provide this keychain API made for that.
But looking I found this apparently portable lib https://github.com/hrantzsch/keychain
Windows and Linux do not appear to provide as much security as macOS but this lib appear to do its best.
Windows credential manager is also an option baked into the OS, though I don’t have experience working with it to say how good or bad it is
For Linux there’s gnome keyring.
I think most applications store it in plain text, but makes sure the file is only readable by the current user. This way, we rely on the protection of the OS, instead of doing it ourselves. (I’m not a desktop app developer, so I might be completely wrong, but I think this is what e.g. Firefox does).
Yeah it’s not too rare to store passwords in config files (e.g
~/.config/appname/config.json
) usually at least base64 encoded to support special characters. It is usually better to try and store a token instead as they can be revoked or expired. If you have to store a password it might be fun to look into storing it in the system keychain, at least for macos or Linux, not sure if Windows has a keychain.