There are already plenty of questions about what to do when websites store plain-text passwords. But this one is a little different.
I use a piece of open-source (see below) software for playing games. It requires a user account that isn't directly linked to any services. Log-in consists of entering a username and a password into a dialogue, but that dialogue also provides a "Save Password" option.
This option saves the password using an API designed for storing settings in cross-platform applications. But due to the fact it's meant to save non-confidential settings that can be changed outside of the application, it saves the data in plain-text. And it does so in locations that don't require any special permissions to access. For example, on Windows the API stores the settings in the registry (in a location that even non-admins at least have read-only access too).
The API is being passed the password in plain-text and thus storing the plain-text password. This means I can run a simple command from a non-elevated prompt on my machine now and get the last password I used in plain-text.
Additionally, any software on my computer can easily access this information. I recently wrote a small program that updated certain files the software uses. However, I started getting complaints that the program couldn't edit the files even though it found them. It turned out that users hadn't been running the program as an administrator. But that means that even though my program wasn't allowed to access the program's game files, it was allowed to read the same registry keys that contain the plain-text password, even when Windows' security had blocked it as a downloaded program.
I've brought up the issue before, but despite my best efforts, no one seems to be taking this as a serious problem(see below).
Question: Am I making 'much ado about nothing', or is storing the password in plain-text locally just as serious a problem as I believe storing the password in plain-text anywhere is?
Note: It being open-source does mean I could "fix" the problem, but there are some issues:
It's fully cross-platform (and there is no platform specific code used). Most systems I know that could store the password in a relatively secure manner are highly platform dependent (like DPAPI)
The main development group is extremely small, and it doesn't seem any of them understands the relevance of securing the passwords. I've brought up the topic before, and the response I got makes it unlikely that a PR will get any result. The only person who runs a server using the software that I know of brushed it off as me "arguing for the sake of arguing". His response was:
"I don't know that I agree that the responsibility falls on the tool, that's like saying we shouldn't build guns cause they can be used in a bad way its up to the person using the tool to take on that responsibility"... "if some one is dumb enough to put there bank account password into [the program] maybe they should consider doing some research into security".
I then recalled seeing something about the passwords stored with encryption, so I tried to convince him that some of the same reasoning that dictates databases should encrypt passwords applied to locally stored passwords. But he disagreed (it seems the fact the passwords are encrypted at all is a little bit of cargo cult programming):
"the db is publicly accessible [I don't see why it should be that's a whole other issue], thats completely different. your machine shouldnt be sitting out in the world for people to access" ... "once again, if your machine is dangling out in the world with no protection dont come crying"
The average user doesn't seem to understand the relevance either, so forking the repo and providing a fix won't do anything. Since the software is for a free game with no ranking or monetization, they don't understand why I'd be so concerned about someone finding out my password (or why they should be). The slightly more knowledgeable ones simply brush it off saying that it's a user's fault if their password isn't unique to that account.
I don't agree there should be a "Save Password" function at all. Storing passwords locally is notoriously difficult to do correctly (even systems like DPAPI are far from perfect). I rarely feel that it's worth the trouble to provide the functionality. And I especially don't see the point for a program like this one.