1

I am trying to implement the capability for my program (C++) to remember a user/password combination, so the user does not need to type it in again.

Is there a secure way for my program to store this? Preferably cross platform as well.

Vilican
  • 2,703
  • 8
  • 21
  • 35
Catprog
  • 13
  • 5
  • Remember during the execution of the program or forever? If only during the execution of the program, you don't have to store the secret on the disk. – void_in Nov 21 '15 at 09:56
  • Remember for the next time they open the program. – Catprog Nov 22 '15 at 12:01

2 Answers2

1

Is there a secure way for my program to store this? Preferably cross platform as well.

Secure against what kind of attack?

  • Against a remote attacker with no access to the machine: probably simply saving it as a file will do it, although in practice you will probably do it less obvious (see next point).
  • Against an attacker with access to the machine: There is no 100% secure way, because if your program can access the secret the attacker (with at least the same permissions) can do the same. You could only make it harder by saving the file at non-obvious places, hiding it within innocent content (like with steganography), obfuscating the information, encrypting it (although the secret must be accessible by the application and thus will also be accessible by a determined attacker).
Vilican
  • 2,703
  • 8
  • 21
  • 35
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
0

Reframe the problem. The user experience goal - allow the user to authenticate without credentials - is the real goal. This kind of security goal is not well-suited to endpoints. There are safer alternative solutions than saving the username and password, one of which I will suggest now. Bear in mind that this only works if you control the server or can deploy an intermediary like a proxy.

Create a time-limited token on the server. Associate it with the user. When the user connects the program supplies the token if present and is authenticated. Otherwise the user is prompted for credentials.

With an intermediary you would store the credentials on the intermediary keyed by the token in an encrypted form and use a separate encryption service (something like Amazon KMS perhaps) to decrypt them.

Again, if you only have client side control then the best option you have is similar to the above using an encryption service from the client, but then you are subject to endpoint attack at @SteffenUlrich has already identified in his response. There are APIs that transparently wrap platform specific key management solutions like gnome-keyring, OS X's KeyChain, and Windows Credential Vault under a common API. For example this Python keyring module does that:

https://pypi.python.org/pypi/keyring

At that point the credentials are as secure as anything else the OS is managing.

Alain O'Dea
  • 1,615
  • 9
  • 13
  • 1
    Thank you. I am coding the server and client so the first one sounds like the solution I will use. (possibly using the key management system as well) – Catprog Nov 22 '15 at 12:16
  • @Catprog the first is pretty much the same as web session IDs in a web app. The main extension of it from typical session use is persistent storage of the session token. You could add a token column/field to your user record/table and accept that instead of username and password. Combining that with key management on your client makes for a pretty robust and user friendly system :) – Alain O'Dea Nov 22 '15 at 15:58