{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 Fickle 薄情 的问题《Protecting user passwords in desktop applications》','https://www.manongdao.com/q-212473.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm making a twitter client, and I'm evaluating the various ways of protecting the user's login information.
IMPORTANT: I need to protect the user's data from other other applications. For example imagine what happens if a bot starts going around stealing Twhirl passwords or Hotmail/GMail/Yahoo/Paypal from applications that run on the user's desktop.
Clarification: I asked this before without the 'important' portion but stackoverflow's UI doesn't help with adding details later inside the Q/A conversation.
- Hashing apparently doesn't do it
- Obfuscating in a reversable way is like trying to hide behind my finger
- Plain text sounds and propably is promiscuous
- Requiring the user to type in his password every time would make the application tiresome
Any ideas ?
Store it in plain text and let the user know.
That way, there are no misconceptions about what level of security you have achieved. If users start complaining, consider xor'ing a published-on-your-website constant onto it. If users keep complaining, "hide" the constant in your code and tell them it's bad security.
If users can't keep bad people out of the box, then in effect all secret data they have is known to Dr. Evil. Doesn't matter whether it's encrypted or not. And if they can keep evil people out, why worry about storing passwords in plain text?
I could be talking out my ass here, of course. Is there a study showing that storing passwords in plain text results in worse security than storing them obfuscated?