Menu
I'm writing a C# application that will be open source and I need to be able to store saved login information for each user. Normally I would just encrypt the password and then store it in a user settings file, but I worry that because of the code being open source it kind of defeats the point of encrypting it. Since all anyone would have to do is look at the code and grab the encryption key.
Granted, it would at least make it a lot harder than the password being stored in plain text. But is there any decent way of encrypting the password, but making it still at least extremely difficult to decrypt it even if you had the source? Maybe make it so it would at least be nearly impossible to decrypt on any computer other than the one it was encrypted on?
EDIT: Clarification... I'm storing CLIENT side passwords, NOT passwords to validate their login for the service. It's a client to a pre-existing web service of which I have no control. I just want to store the passwords locally for automatic login... like any chat client would.
EDIT 2: Totally sorry for not being clear before. But passwords have to be retrieved in clear text at some point and hashing is NOT an option :( Even if the service would let me pass the password hash that would kinda defeat the purpose because the hash would be as good as a password :P
355
Best place to store passwords — A reputable password manager app is the best way to store passwords securely. A password manager allows you to easily create, manage, and access your secure passwords.
So is it safe to use open-source password managers? In short, yes, it is. In fact, in many cases, it could be safer than a proprietary alternative. The trouble is, closed-source password managers don't enable a user to audit the source code independently.
There is no better way to keep your passwords safe than to use a password manager, like Bitwarden. A good password manager should do more than store passwords, such as generate strong passwords and monitor data breaches for compromised passwords.
Open source password managers help organizations safely store user credentials to eliminate the risk of breach. Let's look at five of the best password managers in 2022. Open-source password managers foster trust and transparency.
What you are asking is basically, impossible.
There is no way to safely store a password on a client machine if it needs to be decrypted. This is further aggravated by the fact that you need it to connect to a service, which I presume does not support SSL. In this case, one could trivially find the password by using a network analyzer.
There is a game (closed source, of course) I play that requires a login, the password is saved somewhere but it's encrypted with a key that's unique to each install. I forgot the password once, so I just used Wireshark, and voila - I could see the plain password.
This also reminds me of people complaining about it being easy to reveal passwords in Google Chrome... They obviously don't know better. You can try all the clever tricks you want, but any application security is thrown out the window once someone has access to the machine.
So with this in mind, I would keep the encryption and decryption really simple. At best, you can create a key derived from something unique to the machine, so someone who steals the encrypted password will be unable to decrypt it without access to said unique key.
101
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
