I'm writing a client-side program (in C) to access a certain web site, and I'd like to implement a 'remember password' feature in it. I don't think storing it in plain text is a good idea (what if the user's running malicious software which might find the password?), so I'm wondering. what's the best way of storing a password in such a case? I need to be able to recover it verbatim (a hash/salt won't do, the server needs the entire password), and the solution needs to be somewhat portable (it has to work at least on GNU/Linux).
Asked
Active
Viewed 71 times
1 Answers
0
You can use the lib openssl and write the password crypted with aes in a file. The location of the file may be only know by user. Else, you can use a system variable as key.
If the user compile the program, you can generate a key and compile with (so store it in the executable)
Akimoto
- 368
- 2
- 11
-
Er… and where is the key supposed to be stored? – mafso Jun 08 '14 at 11:52
-
You can store it in a file that the user choose or use a system variable – Akimoto Jun 08 '14 at 11:55
-
Yes, but then: Why not store the password as plaintext? – mafso Jun 08 '14 at 11:56
-
The protection is that we canot know where this file is. Or if he uses a system variable, it will ne different for each user so no need file. – Akimoto Jun 08 '14 at 12:00
-
That's not a reason to encrypt anything, as the same reasoning holds true for a file at an unknown location containing the plaintext password. – mafso Jun 08 '14 at 12:02
-
…and by the way: Where would you store the location of the file? – mafso Jun 08 '14 at 12:05
-
For the location, the user will have to fill it at each launch. But I'm agree it can be discutable. But what do you think about use a system variable as key ? The interest of encryption is that we can't see the password. That's what the user want. – Akimoto Jun 08 '14 at 12:10
-
Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/55275/discussion-between-mafso-and-kirito). – mafso Jun 08 '14 at 12:17