save app password

Dear all,

i’ve written a little app with a login-window for the user.
Now, the user needs to store his credentials so that he doesn’t have to enter it on every day, like it is usually on other apps.
This should work for windows and mac.
Whats the best way to do this?
Many Thanks!

In my opinion, the concept of storing the password so the user does not have to enter it every time he logs in, is as good as not having one at all.

I don’t think that there is any good way to do it at all, unless you are entertaining the idea of connecting to big league things such as Kerberos, etc. That is going to be an interesting challenge.

I strongly recommend that you think your requirements over, and that you force UID and password entry every time if securing the application is of any importance at all.

On macOS use the Keychain, if you must save a password.

I write a class to imitate Keychain in Windows and Linux, you can test in this thread.

Horrified to learn yesterday that my stored passwords for EVERYTHING, going back years, are present in my iPhone

Why are you horrified ??? Isn’t that the point of the keychain?

I often find myself looking up old passwords that had been forgotten when some login page has changed (like for my mother’s ISP when she needed to change some details. She would never be able to remember them …).

If you don’t want your passwords on your iPhone then don’t use the keychain. Or make a separate AppleID for it and add it to your family.

P.S. I was more horrified when Skype suddenly asked for my password, it wasn’t in the keychain, and then they wanted to know the answer to questions I couldn’t possibly know. Lost over 12 years of conversations, contacts, etc.

I didn’t know that Keychain was synchronized between Mac OS and iOS. I have to re-enter all my password when I access to a forum or another website. I thought it only import emails password when synchronized emails accounts.

Maybe they have different desktop and mobile sites? Most sites work automatically on my iPad. But that should be in a different off-topic thread …

Precisely because

either.

Keychain I understand. I use it on my Mac now and then.
But in theory (and yes, I know this is an over-the-top example) … if someone wallops me over the head with a crowbar, and presses my rapidly cooling finger on the power button, every site and account I have is an open book.
And yes, we are in danger of doing what the Xojo forum does best… take one post and turn it into a wholly unrelated stream. Stopping here. :slight_smile:

It would be interesting to open a new topic about Mac OS <-> iOS Keychain.

I save/read password in/from Keychain within one of my application. This application receive and send emails. We can configure as many account as we want. Each time I build a new version, I have to re-enter my admin password for each account (each password) because Keychain ask for it.
I don’t understand why it doesn’t ask only once for the first password and apply to the other as they were saved with the same application.

I think you can turn this off in the iCloud page of the System Preferences.[quote=368248:@Markus Winter]I often find myself looking up old passwords that had been forgotten when some login page has changed (like for my mother’s ISP when she needed to change some details. She would never be able to remember them …).[/quote]
Keychain is awesome for this, I use it also for looking up old passwords that I’ve forgotten.[quote=368248:@Markus Winter]P.S. I was more horrified when Skype suddenly asked for my password, it wasn’t in the keychain, and then they wanted to know the answer to questions I couldn’t possibly know. Lost over 12 years of conversations, contacts, etc.[/quote]
Wait, you still use Skype?

If you have HOTMAIL (by Microsoft) … do not forget/lose your password.
I did…

Only way to get it back is to (wait for it)

ENTER THE TEXT OF THE LAST EMAIL YOU RECIEVED…

I’m serious that is the requirement…

  • I have no idea WHO sent the “last”
  • and even if I did, how am I supposed to recall the exact content (it was mostly like spam anyways)

I agree that storing clear text passwords is not a good practice but in the real world the user will just write it on a sticky note and put it on the screen or make their password something easy to guess.

If you don’t encrypt a stored password with a good algorithm it can easily be decrypted/cracked.

Some thoughts:

Security is based one or more of three factors:

  1. Something you know (a password)
  2. Something you have (a card)
  3. Something you are (a fingerprint)

How to store a password:
If you want to store an encrypted password in a file or database you use the password itself as the encryption key and store the encrypted result. To check the password you take the value the user typed and use it as password and encryption key to generate an encrypted value. You then compare this value to the stored value. If it matches you know the password is correct. This essentially keeps the password from being easily “cracked”.

How about a card and a card reader or a fingerprint reader? This could “unlock” the encrypted password storage so you could read the encrypted password. You could then compare it to the encrypted password in your system. Using this technique the real password is never stored in clear text and retrieving it is based on a fingerprint or a physical card it is fairly safe. The normal login can be done by typing a password with a different user interface.

I see lots of fingerprint readers but most have drivers that are installed in to Windows or OS X for Website or login into the OS. Some seem to offer unlocking local applications. I am not sure any would interface with a custom program.

Hopefully some of these ideas will help you create some sort of reasonable security yet still very low user effort.

For many years, I’ve been hoping (and I’ve requested) that Apple would open up their TouchID framework, so that we don’t need to use passwords any more, our application (online or desktop/mobile). Simply sends a request to the Apple TouchID framework and it then either forwards that request onto the mobile device or responds itself (in case of the emojiBook Pro).

Something as simple as

[Security authenticateWithUserID:<appleID> callback:<functionPtr> tags:<AnIdentifier>]

In your callback function you’d simply receive the tag and YES/NO.

Not trying to be a smarta** but it was opened up in iOS 8, with the LocalAuthentication framework, no? FaceID is in there too, for Xcode users (and other IDEs). What am I missing?

Don’t know if @Christian Sedlmair is still following this Thread and if we are talking about iOS only or Desktop …

A while back i wrote an App where the Users authenticate against a mySQL Server and this Server was storing a UUID generated from serveral Hard- and Software ID’s and the Login/Username of the OS. If the App relaunched within a certain timeframe, it would check if it has been launched from within the same Network, from the same Machine and the same user and would if all went fine, not ask again until the timeframe which had been started with the very first Login on that day, had expired.

BTW: There was a Logout function in the App which simply erased the UUID and Login Time from the DB.

No, no, no… Please try to be a smrtaRse :wink:

Sometimes I have a habit of misfiring my brain dumps, and I can see that not all cylinders were igniting (it can’t be the head gasket can it?).

You go to your banking website on your Mac, enter in your appleID (lets just pretend that Apple isn’t Google and they’re not interested in knowing what bank you use). Bing, a dialog appears on your iPhone and with TouchID, you authenticate that way. Same goes for Amazon, HBO and your favorite web site of raunchy pictures (and movies in 360?).

You go to your project management application to work on your global domination scheme, same process, your phone combined with your fingerprint becomes your password.

Now if you have an emojiBook Pro, you can verify right there and then, see that $500 additional bucks for an emoji input device was worth it right?

Apple have all the pieces in place to do it (ApplePay), or do they? It seems like TouchID is being replaced with what was labelled as more secure, but your neighbors kid can now get into your phone :wink: