How to store passwords and sensitive data in a desktop client application (Java)?

Question

I want to make an application which will monitor user's email account for incoming emails as well as his twitter account for tweets. The user has to provide his login credentials therefore. My doubt is how and where to store this sensitive data? I don't want my application to annoy the user asking these things repeatedly.

Moreover, if I should encrypt and then store these data then how should I protect the key which I am using in my application?

Answer 1

The point of encryption is to make the secrecy of a plaintext depend on the secrecy of a smaller key.

In the case, encryption alone is useless to you, since you have no way to store the key either.

Instead, you need to use some existing secret managed by a third party (using a password), and use it to derive a key.

On Windows, you can use the DPAPI, which is ultimately backed by the user's login password.
If the user forgets his password (or if it is changed from a different account), your data will be irrecoverably lost.

Note that this will not defend against code running as that user.
You need to decide what you're trying to defend against.

Answer 2

If you really need it (it's no good idea but...) you may want to create encrypted storage for passwords like Firefox has for example. Users will protect passwords with master password.