I recommend one of three approaches:

• Avoid storing the password at all by using authentication tokens. In this model, the user logs in one time, and the server generates a unique, large, sparse token that the client can store and use as its login “password.” The server only accepts this token from one client at a time, so if two clients try to use it simultaneously, the token is invalidated. The token is also generally invalidated after a period of time (1 week, 2 weeks, a year, whatever is appropriate). When the token is invalidated, the user must log in again by hand and the process is repeated. This is basically the approach of Gmail and similar web site logins.

• If you must store the password, I recommend relying on the OS to manage it for you. Windows and Mac both have good secure storage systems (DPAPI and Keychain respectively). Linux doesn’t have a good always-available solution, though, so it depends on your market. The advantage of using the OS is that the OS can provide protections you can’t easily provide yourself, and the user can centrally manage the overall protection of the OS storage (using smartcards, etc.) to a level you are unlikely to reproduce. The OS secure stores are also typically quite convenient for the user.

• If neither of these are options, then store an encrypted file with a master password that the user must enter every time they launch your app. This is how Firefox works (or at least it did last time I looked, which has been a while). This is reasonably secure, but much less convenient for the user (and low convenience often means low adoption by the users, or poor use through simpler passwords, etc). I would investigate the Firefox code as an example of how to implement this.