Saving passwords on disk
in [Cryptography]
|
From: Jonathan Lee on 14 May 2010 10:32 Can anyone tell me if there are "reasonably" safe ways of storing passwords on disk? For example, my e-mail client clearly saves my passwords somewhere. If it doesn't store them as plain text, it probably encrypts them. But then the key must be stored somewhere... etc. I can't see how this can be done safely. Or is printing a disclaimer about remembering passwords considered "good enough"? Thanks for any information --Jonathan PS I want to know so that I can look into implementing something similar myself.
From: Dave -Turner on 14 May 2010 11:30 > If it doesn't store them as plain text, it probably encrypts them. > But then the key must be stored somewhere... > etc. I can't see how this can be done safely. If you only need storage to determine that the key is VALID (as opposed to being able to see the actual key) then you can simply use one-way hashes such as MD5, SHA etc.
From: Gordon Burditt on 14 May 2010 12:29 >passwords on disk? For example, my e-mail client clearly saves my >passwords somewhere. If it doesn't store them as plain text, it >probably encrypts them. But then the key must be stored somewhere... >etc. I can't see how this can be done safely. If the email client is able to access, say, your POP account (which I'll assume is on a different server, say, Google or Yahoo), without demanding a password, then it's possible for anyone with the same access to files as you have to do the same thing, regardless of how many levels of encryption are used (the key needs to be stored somewhere ...). It's possible that just running your email client under a debugger and stopping it at the right point can reveal your password. This is one of the reasons that DRM is doomed to failure: the cable box or whatever needs to have all the keys needed to decrypt the video if you happen to be authorized to view that material. Your login password and file access permissions tied to it may protect the files containing your email password (but not against the system administrator, who can also do nasty things like modify the email client to log passwords, or sniff network packets if login is being done using unencrypted POP protocol). Now, what computer is this information stored on? If it's your desktop or laptop, you're probably not safe from other people with physical access to your computer, like other household members. Storing a password in encrypted form may be good enough to protect it from "casual snoopers" who know how to view files in editors but are not prepared to mount a complex attack. >Or is printing a disclaimer about remembering passwords considered >"good enough"? I clearly don't understand the situation here. If you are writing an email client (or client for a similar protocol), you shouldn't be saving passwords without asking the user whether to save passwords, and getting an affirmative response. If this is a legal question, talk to a lawyer, especially if the password you are saving belongs to a user's bank or stockbroker accounts.
From: Jonathan Lee on 14 May 2010 13:26 On May 14, 12:29 pm, gordonb.ah...(a)burditt.org (Gordon Burditt) wrote: > If the email client is able to access, say, your POP account (which > I'll assume is on a different server, say, Google or Yahoo), without > demanding a password, then it's possible for anyone with the same > access to files as you have to do the same thing That's what I was thinking... > >Or is printing a disclaimer about remembering passwords considered > >"good enough"? > I clearly don't understand the situation here. If you are writing > an email client (or client for a similar protocol), you shouldn't > be saving passwords without asking the user whether to save passwords, > and getting an affirmative response. Sorry, by disclaimer I was thinking a question, warning about the danger, and getting an affirmative response. Ex., "If you would like to have [e-mail client] remember your passwords, be aware that this is dangerous and we don't guarantee that this is safe. Do you want to continue? yes/no" Given what you said above, it seems this is all you can do. Which is more or less what I expected, but I wanted to be sure. So I guess I'll scramble the file to prevent "casual snoopers" and rest the 'security' on file permissions :/ Thanks for your comments --Jonathan
From: Ivan Voras on 17 May 2010 07:29
On 05/14/10 19:26, Jonathan Lee wrote: > So I guess I'll scramble the file to prevent "casual snoopers" and > rest the 'security' on file permissions :/ The latest Thunderbird for example does this - saves the passwords to files so the user doesn't have to enter them all the time, but also strongly encrypts these files with a user-given password. In this case, not only does the user have to "agree" to it, but he also needs to enter one global "master password" every time the application starts to unlock all the other account passwords. It makes sense because Thunderbird supports a large number of accounts per person. (of course, all other attacks of the "attach a debugger to the application" sort cannot be defended against in this way) |