tags:

views:

493

answers:

8

I am writing an application that needs to read a user name and password and store them so that the program can read them again later. Storing it in some variables sounds like a stupid idea.

Found that KDE library, but it has too huge dependency, and I am too newbie programmer to understand how to use it.

What are the common Methods to storing passwords, and how I can solve my problem?

A: 

what kind of application is it? There are many methods but if its ASP.Net it's common to encrypt in the web.config file.

Davy
It's cross platform c++ application (not some web applet)
Night Walker
+5  A: 

Usually you store the username and a hashed version of the password. See this wikipedia article: hash functions, and this question.

Peter
Hash of the password will not help if you need to use actual password later to log into remote system or something like that.
Kirill V. Lyadvinsky
Absolutely.....
Peter
+3  A: 

It depends on what you are going to do with the information.

If you are going to use the name and password to access some external service (but the user will have to reenter the information the next time the program is run), then storing them in some variables is OK. It might be wise to store them encrypted (at least, store the password encrypted) so that it is not visible in core dumps or the equivalent. When the password is needed, you decrypt it, use it, and then write over where the decrypted version was stored (zapping it). (Note: hashing is not appropriate in this context; you need to be able to see the password, and you can't undo a hash.) You could decide to store the information outside the program (in a disk file), but it doesn't seem necessary. Note that the binary will still contain the encryption key (and encryption algorithm), and encrypted data is more random than the average contents of your program, so to really conceal the encrypted password is actually very difficult (verging on impossible). However, you can make it hard enough that it will stop all but the most determined attackers.

If you are going to store the username and password as a permanent record so that you can validate that the same user is accessing the information in the future, then you must use storage external to the program; you will use a simple database, which might be as simple as a plain text file if you ensure you resolve any concurrency issues. In this case, you will hash the password with some salt, and you'll store the username, salt and hashed password in such a way that given the username, you can easily find the other two values.


Night Walker comments:

I use that password to access some web database, so I need it stored in my application after it is entered for the first time. Are you sure a plain text file is that smart an idea?

It depends on how you conceive 'stored in my application'. You can't modify the executable, or at least shouldn't try to do so. So, you need to look on it as a permanent record stored in some sort of file separate from the application executable. On the other hand, you do face a different problem from what I outlined - you are not authenticating the user with the information; you need to decrypt the information on demand to send on to other applications.

First off, that means that salts and hashes are not relevant; you need to reverse the masking operation, and you can't reverse a hash.

Next, you need to decide how you will identify the user of your application upon reappearance. Will the user be obliged to enter some password to get to their own data, or will you simply rely on the operating system privileges, or some other scheme.

If the user must enter some password into your application to get going, then you can consider using that password (or a hash of it, distinct from the password hash used to recognize the password to the application) to encrypt the username/password combination for the external application. You can then store the username and, for sake of argument, a Base-64 encoded version of the encrypted password into a text file; this is as safe as the application password, which is stored in the original salted hash format. When the user returns, they have to supply their application username and password, and you can validate that combination against the stored values, and then use the password to decrypt the password to the external application.

If the user does not enter a password, then you are more restricted in what you can do. You have to be able to determine a key somehow from the information available to you that can be used to store the user's encrypted password in a file in a restricted location such as a sub-directory underneath their home directory with no group or public access:

mkdir ~/.appname
chmod 700 ~/.appname
cp /dev/null ~/.appname/app.key
...store the encrypted information...
chmod 500 ~/.appname
chmod 400 ~/.appname/app.key

This is less satisfactory because even if you combine a fixed key with the user's name, say, the chances are that someone can work out what that key is (and the encryption technology) and reverse engineer it. (The secrecy of encrypted data depends on the keys; when the key is determinable by the program, it is also determinable by a determined attacker. It is best, by far, to rely on the user to provide the key (or a password or pass phrase) at run-time; then the application does not store anything that an attacker can use offline.

Jonathan Leffler
I use that password to access some web database , so i need it stored in my application after it entered for the first time .Are you sure plain text file is that smart idea ?
Night Walker
so as i see it permanent record is the best idea till now .the application doesnt have any other passwords , and it doesnt meter that other users will use that application .only thing is to try save away the password + username from other ppl .
Night Walker
Yes, storing the information in some permanent file will be necessary. Use a separate file for each user of the application; store the encrypted password in Base-64 encoding (so you have a plain text file). Derive the key used for the encryption from a cryptographic hash of whatever you consider to be the most reliable characteristics of the user (perhaps a concatenation of their user name and user ID number, and maybe some fixed text), and store that in as secure a location as you can devise. The security is less than perfect - what you can devise your attackers can discover.
Jonathan Leffler
how i can do following thing in c++ ?in Base-64 encoding , cryptographic hash ?it just first time i deal with this problem .thanks .
Night Walker
There's an expression - STFW. There's another - LMGTFY. Base-64 encoding is defined in IETF RFC 4648. For 'cryptographic hash', you could look up 'MD5' or 'SHA-1' or 'SHA-256'. There are question marks against all those hashes - for the utmost in seucurity, you should probably not use MD5 and maybe not SHA-1. NIST is running a competition to choose a replacement hash algorithm (http://csrc.nist.gov/groups/ST/hash/sha-3/index.html).
Jonathan Leffler
Also, DIY cryptography is usually bad cryptography - try to find someone else's code to use - a well-established, respectable library. You will still need to make some decisions, but the fewer the better. (I would always endeavour to use someone else's code.)
Jonathan Leffler
For cryptography in C++, one can only recommend crypto++, not so easy to use (there are some concepts to grasp), but the implementation is sound.
Matthieu M.
+1  A: 

What about MySQL or SQLite? Hash the password and store them in a persistent database, no?

jldupont
+1  A: 

Common method to store passwords for later use is to store them in some encrypted cache. That cache is encrypted using some master password. User should enter master password each time you need password from cache. KeePassX is a small open source application that uses master password to store personal data (user names, passwords, etc.) It has a light interface, is cross platform and published under the terms of the GNU General Public License. You could check it as sample and use some parts of it.

Kirill V. Lyadvinsky
A: 

At spotep.com we only store the username and a hashcode of the username combined with the password. The benefit of this is that similair (often trivial) passwords wont result in the same hashcode (which is stored in a cookie, and therefore very unsafe).

Viktor Sehr
nice web site but you missed a lot of series there caprica , battlestar galactica , sons of anarchy etc ...
Night Walker
Hmm, No we dont?
Viktor Sehr
A: 

I would suggest storing a hashed password in SQLite. Then whenever you need to check a password, hash it and then compare it against the stored value. This keeps the stored passwords secure so no one (not even you) know what they are.

Jakobud
+1  A: 

You could try QSettings which provides persistent platform-independent application settings. Solutions like mysql would be overkill unless you have hundreds of passwords to store.

PiedPiper