Hi, by now it seems to be common knowledge that passwords shouldn’t be stored in a database. Backend devs generally know to hash and salt and what-not their transmitted passwords. It seems to be well documented.

However, I wasn’t exactly able to find such a clear answer for client applications accessing e.g. web APIs. For example, lets assume you were to create a Lemmy desktop application with support for multiple accounts. Ideally, that software would work like a password manager and store its master password as hash only.

However(2), sometimes users like to start said application without entering their password. Like an Email client in pleb mode. Which requires the passwords to be stored somewhere. In this case, what is the best course of action?

You are viewing a single thread.
View all comments
2 points
*

Ideally you should use the help from the OS. For example if you target Apple they provide this keychain API made for that.

https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/storing_keys_in_the_keychain

But looking I found this apparently portable lib https://github.com/hrantzsch/keychain

Windows and Linux do not appear to provide as much security as macOS but this lib appear to do its best.

permalink
report
reply
1 point
*

Windows credential manager is also an option baked into the OS, though I don’t have experience working with it to say how good or bad it is

permalink
report
parent
reply
1 point

https://code.visualstudio.com/docs/editor/settings-sync#_troubleshooting-keychain-issues

This shows how MS Visual Code stores the password in keychain in various OSes.

permalink
report
parent
reply
0 points

For Linux there’s gnome keyring.

permalink
report
parent
reply

Ask Experienced Devs

!ask_experienced_devs@programming.dev

Create post

Icon base by Delapouite under CC BY 3.0 with modifications to add a gradient

Community stats

  • 1

    Monthly active users

  • 41

    Posts

  • 418

    Comments

Community moderators