views:

329

answers:

6

I'm making a twitter client, and I'm evaluating the various ways of protecting the user's login information.

IMPORTANT: I need to protect the user's data from other other applications. For example imagine what happens if a bot starts going around stealing Twhirl passwords or Hotmail/GMail/Yahoo/Paypal from applications that run on the user's desktop.

Clarification: I asked this before without the 'important' portion but stackoverflow's UI doesn't help with adding details later inside the Q/A conversation.

  • Hashing apparently doesn't do it
  • Obfuscating in a reversable way is like trying to hide behind my finger
  • Plain text sounds and propably is promiscuous
  • Requiring the user to type in his password every time would make the application tiresome

Any ideas ?

+2  A: 

What amount of time and effort put into an attack are you trying to protect against?

There's no perfect security.

Cade Roux
I think the question is universal. If the most popular desktop mail clients that access gmail/hotmail can't solve it, we have a serious problem.
KCorax
We don't have a serious problem. A user trusts the applications they have installed. Granted the machine could be compromised by viruses or malware, but that's like saying a Boeing 747 has a problem because it can be shot down by a missile!
RB
+8  A: 

This is a catch-22. Either you make the user type in his password every time, or you store it insecurely (obfuscated, encrypted, whatever).

The way to fix this is for more operating systems to incorporate built-in password managers - like OS X's Keychain. That way you just store your password in the Keychain, the OS keeps it secure, and the user only has to type in 1 master password. Lots of applications (like Skype) on OS X use Keychain to do exactly what you are describing.

But since you are probably using Windows, I'd say just go with some obfuscation and encryption. I think you may be slightly paranoid about the password-stealing-bots; if your application doesn't have a large userbase, odds are pretty low that someone will target it and specifically try to steal the passwords. Besides that, they would also have to have access to their victim's filesystem. If that's the case, they probably have a virus/worm and have bigger problems.

amdfan
Encryption doesn't matter much. Read the first answer. Keychain isn't bad would also require at least an extra click. I'm looking for sth transparent preferably.
KCorax
And if they have a virus/worm then it could be key logging and their password is caught anyway. You're right on here.
tloach
First answer? What do you mean Keychain would require an extra click?
amdfan
@amdfan Keychain doesn't just hand out the credentials. The user needs to authorize the exchange.@tloach actually in Vista I can invoke the UAC password prompt to get rid of software intervention. XP is vulnerable though.
KCorax
When I load Skype on OS X, it loads the password without asking my permission. You can tell Keychain to skip the prompt.
amdfan
Actually windows does have a keychain equivalent; DAPI and KeyStore - but even then they are limited to a user, not a particular piece of software. Does Keychain actually limit credentials to a program?
blowdart
+1  A: 

Upon further contemplation I think I found a way. I will use ASP.net authentication for my application desktop application, store their credentials online and let Internet Explorer's password manager handle the local caching of this secondary pair or credentials for me.

I will just have to have them authenticate through a Facebook-API like form during the first login.

KCorax
+2  A: 

I think you are missing the bigger picture here:

If the desktop is compromised, you're F#*%ED!

To steal a password from your program, a virus would have to be running on the system as administrator. If the virus has achieved that, stealing passwords from your program is way down on it's list of malicious things it wants to do.

James Curran
+1  A: 

I don't get it... why is encryption no good? Use a large key and store the key in the machine key store (assuming Windows). Done, and done.

Robert C. Barth
I think the author worries that someone can reverse engineer your application, recover the key, and use it to take the password. This probably won't happen with the author's application unless it becomes mega-huge.
Matt Green
The key is stored in the machine key data store. Ideally, he'd write the app so that the first time it runs it generates a random key and stores it. No two installations of the application would then use the same key.
Robert C. Barth
@Robert: If the KeyStore api worked for my case (Clickonce deployment) I'd rather store my data in there directly instead of going to the extra step of encrypting it before storing it.
KCorax
+2  A: 

Store it in plain text and let the user know.

That way, there are no misconceptions about what level of security you have achieved. If users start complaining, consider xor'ing a published-on-your-website constant onto it. If users keep complaining, "hide" the constant in your code and tell them it's bad security.

If users can't keep bad people out of the box, then in effect all secret data they have is known to Dr. Evil. Doesn't matter whether it's encrypted or not. And if they can keep evil people out, why worry about storing passwords in plain text?

I could be talking out my ass here, of course. Is there a study showing that storing passwords in plain text results in worse security than storing them obfuscated?

Jonas Kölker
+1 for let the user know
furtelwart