Protecting user passwords in desktop applications (Rev 2)

Question

I'm making a twitter client, and I'm evaluating the various ways of protecting the user's login information.

IMPORTANT: I need to protect the user's data from other other applications. For example imagine what happens if a bot starts going around stealing Twhirl passwords or Hotmail/GMail/Yahoo/Paypal from applications that run on the user's desktop.

Clarification: I asked this before without the 'important' portion but stackoverflow's UI doesn't help with adding details later inside the Q/A conversation.

• Hashing apparently doesn't do it
• Obfuscating in a reversable way is like trying to hide behind my finger
• Plain text sounds and propably is promiscuous
• Requiring the user to type in his password every time would make the application tiresome

Any ideas ?

Answer 1

What amount of time and effort put into an attack are you trying to protect against?

There's no perfect security.

Answer 2

This is a catch-22. Either you make the user type in his password every time, or you store it insecurely (obfuscated, encrypted, whatever).

The way to fix this is for more operating systems to incorporate built-in password managers - like OS X's Keychain. That way you just store your password in the Keychain, the OS keeps it secure, and the user only has to type in 1 master password. Lots of applications (like Skype) on OS X use Keychain to do exactly what you are describing.

But since you are probably using Windows, I'd say just go with some obfuscation and encryption. I think you may be slightly paranoid about the password-stealing-bots; if your application doesn't have a large userbase, odds are pretty low that someone will target it and specifically try to steal the passwords. Besides that, they would also have to have access to their victim's filesystem. If that's the case, they probably have a virus/worm and have bigger problems.

Answer 3

Upon further contemplation I think I found a way. I will use ASP.net authentication for my application desktop application, store their credentials online and let Internet Explorer's password manager handle the local caching of this secondary pair or credentials for me.

I will just have to have them authenticate through a Facebook-API like form during the first login.

Answer 4

I think you are missing the bigger picture here:

If the desktop is compromised, you're F#*%ED!

To steal a password from your program, a virus would have to be running on the system as administrator. If the virus has achieved that, stealing passwords from your program is way down on it's list of malicious things it wants to do.

Answer 5

I don't get it... why is encryption no good? Use a large key and store the key in the machine key store (assuming Windows). Done, and done.

Answer 6

Store it in plain text and let the user know.

That way, there are no misconceptions about what level of security you have achieved. If users start complaining, consider xor'ing a published-on-your-website constant onto it. If users keep complaining, "hide" the constant in your code and tell them it's bad security.

If users can't keep bad people out of the box, then in effect all secret data they have is known to Dr. Evil. Doesn't matter whether it's encrypted or not. And if they can keep evil people out, why worry about storing passwords in plain text?

I could be talking out my ass here, of course. Is there a study showing that storing passwords in plain text results in worse security than storing them obfuscated?