You're writing a program that connects to a server, and want to store the user's login details for their convenience. How do you do so securely?
Short answer: you won't like any of the suggestions.
A surprising number of programs store the login details in plain text, and rely on the Operating System's (OS') file protection. The file is restricted to be accessible by one user only. This does provide some protection. However, the password is still in plain text, so it's "game over" is something goes wrong.
At this stage you probably think: encrypt the file. Brilliant! But, where are you going to store the encryption key? You could try hiding it on the hard driver. However, once a hacker knows where to look, they just need to swipe two files instead of one. What about storing it in the program itself? That's not much better, because a hacker could analyse the program file, and extract the key. Then he/she could decrypt the password file on everyone's computer.
Another option would be to generate the encryption key from something like a hardware ID. This could work in some cases, with the caveat that the password will become inaccessible if the hardware changes. Your hardware ID had better be very reliable...
The most secure option is for the user to have a master password. This is what password managers such as LastPass (affiliate link), BitWarden, and others use. The master password is the seed for the encryption key used to store all other passwords. Thus, every user's encryption key is different, and only the user has access. Some OSes have this built in. On the down side, your program won't have access to the password until the user logs in.
One thing that may help, is to use access tokens instead of usernames and passwords. As the name suggests, the token gives access to the server without needing the username and password.
But, you protest, you still need to store it on the user's computer somewhere. You haven't solved anything. True, but it does two things:
- The username and password aren't stored, making them impossible to steal. Access tokens can be revoked when they're compromised, without needing to change the password
- Access tokens can be programmed with restricted access. You could, for example, create a "read-only" access token. This minimizes the damage caused if the token is compromised
Online security is a game of making it hard to break in, and limiting the damage done should a breach occur.
Access tokens are worth using when available. This depends entirely on whether the server supports access tokens or not.
Know of a technique that isn't mentioned above? I'd love to hear from you.
NOTE: I didn't talk about Hardware Security Modules (HSM) because, last I checked, they're expensive and not included with most user's computers. So, most of the time they're not an option.
Hans, Why Are You Looking Into Client-Side Password Storage?
I have plans to write client software to complement ZitaFTP Server...