How to safely "remember" login information in a program

Question

Possible Duplicate:
How to Securely Implement a “Remember Me” Feature?

I have a program that communicates with a server. The user must log in with the application which runs on their computer, the application will send their username and password to the server (over TLS of course) and the server will log them in.

I want to offer a "remember my username/password" feature, so that after logging in once, they don't have to log in any more, much like Dropbox or web browsers or many other programs do. How can I implement this securely? I have to send the actual password to the server, not the hash, so I can't store an hash, and if I encrypt it then I have the same problem with storing the key.

Forgive me if this is a duplicate, I searched and couldn't find one.

You can't except the best you can do is store it in a file and try to secure the file. Its just like "Remember Password" on your browser...that crap isn't secure at all because it's stored in cleartext too. — , Nov 29 '12 at 19:08
Except that you can set that up securely for a browser by configuring a password. — Lucas Kauffman, Nov 29 '12 at 19:11
Do Browsers encrypt those or just authorize who and who can't access it. If they aren't encrypted won't the passwords be recoverable from a cold boot attack — , Nov 29 '12 at 19:15
@LucasKauffman what do you mean by "configuring a password"? — Spiro Xavier, Nov 29 '12 at 19:16

score 1 · Answer 1 · edited Mar 17 '17 at 13:14

1

The best way to do this is to store a session value with the application. The idea behind that is described in my answer here to another authentication question. That prevents exposing stored credentials and allows a user to invalidate sessions if they lose control of the machine without risking compromise of their password.

edited Mar 17 '17 at 13:14

Community

1

answered Nov 29 '12 at 19:53

Jeff Ferland

38,090
9
93
171

How to safely "remember" login information in a program

1 Answers1