Home/ Questions/Q 5999395
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T00:32:45+00:00

I’m writing a piece of open-source client software that can connect to web services

  • 0

I’m writing a piece of open-source client software that can connect to web services on behalf of a user. The user enters his username and password, and the software connects using those credentials.

For convenience purposes, I have an option for the software to save the user’s credentials so that they don’t need to be entered again in the future.

However, since this is open-source, I’m not sure how I can store the credentials in a reasonably secure way. It strikes me that any method I use to encrypt the password could easily be reversed and used to decrypt the password. I realize that perfect security is impossible, but is there a better practice than using ROT13 like I’m currently doing?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    There’s a pretty good treatment of saved passwords in an open-source client by the Pidgin developers; the same reasoning would apply to a web service client.

    Executive summary:

    • If the app saves passwords itself, leave them in plain text and set the file permissions to be readable only by the user. (This makes it obvious that the settings file is sensitive!)
    • Provide the option to integrate with a platform keyring API such as the Windows Data Protection API or a keyring application like KeePass.
    • 0