Store credentials locally


I have a client <> server architecture set up. But I want to give users the possibilty to remember their username/password on their own computer. So that it’s easier for them to log in and use my program straight away.
How can I do that safely?! I thought about writing it to a file and set all permissions to ‘owner’. Maybe encrypt the username/password. But I doubt that that would do much. As the encryption key would be stored in the app/somewhere else were it can be found easily.

Anyone has ideas? Or did this already?

A username/password system should NEVER store the ACTUAL password. It should never have access to the ACTUAL password.
Huh? you say?

When the user enters (or changes) their password… your apply an ENCRYPTED version to the database or file
Each time the user is asked to enter their password, they enter the ClearText version, the app encrypts it and compares THAT value to the stored value.

This way there is no way for a “hacker” to gain access by knowing the actual password (not to say it is 100% fool-proof… but storing ClearText offers no protection at all)

Of course even having anything “remembered” on any computer (local or remote) reduces the protection level of the data.

I don’t think Dave means encrypted :wink: NEVER store an encrypted value of ANY password.
Store a HASHED version of it.

When a user enters their password, hash it and compare it to the stored hash.
Don’t know if you’re talking about a Web app or not but here are some tips from Thom!

I know I should hash my passwords in a database (salted please)

I don’t think I made myself clear. I mean something like this:

“Remember my password” Everything is very secure on the server/database side, but how should I do this secure client side! Many programs store passwords client side. But how should I do that safe? Hashing isn’t an option here.

You can access the keychain on the Mac side with Xojo.

Thank you, is there also an cross platform option?