Can I securely keep the user logged into my local application AND use the password as a decryption key?
I'm somewhat new to data encryption/safety, but I already read about basic concepts like hashing passwords, encrypting files, etc. If possible, please ELI5 - thanks in advance.
Background: my application interacts with a third party (Twitch) using an OAuth key for IRC as well as a Client ID. Both of these can be used to effectively access the application's Twitch account and do anything with it. The keys are sent as plaintext whenever the application establishes a connection with the Twitch servers (which I can't do anything about and it's not really that huge of a problem). My main security concern is about someone getting access to the user's computer and stealing the keys from there.
I'd like to securely store these on the disk so that the user doesn't have to log into Twitch every time they open the application (to retrieve the keys). To do this, my best solution so far was to encrypt the file containing them. The obvious way to do this would be to require a password when the application starts, then use a stored hash+salt to check that password, and use the password (or its hash with a different salt) as a key to decrypt the file.
As said before, I'm new to data protection, so there might be a much better way to do this. Please do suggest one if there is one. However, as for this...
If possible, I'd also like to not have the user enter their password every time they open the application - simply for user convenience. Prompting the password once per user session (or once every time the computer is restarted) seems reasonable.
I thought about doing this by storing something in RAM, or perhaps by storing some kind of hash as a temporary file. However, I haven't been able to come to an actual conclusion yet. Maybe I'm asking for too much. Nevertheless, is there an actual, decent way to implement this? If not, is prompting for a password on every application startup a better idea than going about storing those Twitch keys securely in some other way?
If it matters - for my specific case, I'm using Python 3.7, and I aim to make my application cross-platform (as long as the system supports Python).
encryption hash passwords
asked Nov 24 '18 at 6:05
ViAikViAik
185
migrated from stackoverflow.com Nov 30 '18 at 0:08
This question came from our site for professional and enthusiast programmers.
add a comment |
I'm somewhat new to data encryption/safety, but I already read about basic concepts like hashing passwords, encrypting files, etc. If possible, please ELI5 - thanks in advance.
Background: my application interacts with a third party (Twitch) using an OAuth key for IRC as well as a Client ID. Both of these can be used to effectively access the application's Twitch account and do anything with it. The keys are sent as plaintext whenever the application establishes a connection with the Twitch servers (which I can't do anything about and it's not really that huge of a problem). My main security concern is about someone getting access to the user's computer and stealing the keys from there.
I'd like to securely store these on the disk so that the user doesn't have to log into Twitch every time they open the application (to retrieve the keys). To do this, my best solution so far was to encrypt the file containing them. The obvious way to do this would be to require a password when the application starts, then use a stored hash+salt to check that password, and use the password (or its hash with a different salt) as a key to decrypt the file.
As said before, I'm new to data protection, so there might be a much better way to do this. Please do suggest one if there is one. However, as for this...
If possible, I'd also like to not have the user enter their password every time they open the application - simply for user convenience. Prompting the password once per user session (or once every time the computer is restarted) seems reasonable.
I thought about doing this by storing something in RAM, or perhaps by storing some kind of hash as a temporary file. However, I haven't been able to come to an actual conclusion yet. Maybe I'm asking for too much. Nevertheless, is there an actual, decent way to implement this? If not, is prompting for a password on every application startup a better idea than going about storing those Twitch keys securely in some other way?
If it matters - for my specific case, I'm using Python 3.7, and I aim to make my application cross-platform (as long as the system supports Python).
encryption hash passwords
asked Nov 24 '18 at 6:05
ViAikViAik
185
migrated from stackoverflow.com Nov 30 '18 at 0:08
This question came from our site for professional and enthusiast programmers.
Twitch supports OpenID, and the dev page have helpful sample code. You should start there.
– ThoriumBR
Nov 30 '18 at 0:18
@ThoriumBR: OIDC isn't openid, it's oauth with features borrowed from openid. And even if you use it, you still have to store a cookie/token.
– grawity
Nov 30 '18 at 10:24
add a comment |
I'm somewhat new to data encryption/safety, but I already read about basic concepts like hashing passwords, encrypting files, etc. If possible, please ELI5 - thanks in advance.
Background: my application interacts with a third party (Twitch) using an OAuth key for IRC as well as a Client ID. Both of these can be used to effectively access the application's Twitch account and do anything with it. The keys are sent as plaintext whenever the application establishes a connection with the Twitch servers (which I can't do anything about and it's not really that huge of a problem). My main security concern is about someone getting access to the user's computer and stealing the keys from there.
I'd like to securely store these on the disk so that the user doesn't have to log into Twitch every time they open the application (to retrieve the keys). To do this, my best solution so far was to encrypt the file containing them. The obvious way to do this would be to require a password when the application starts, then use a stored hash+salt to check that password, and use the password (or its hash with a different salt) as a key to decrypt the file.
As said before, I'm new to data protection, so there might be a much better way to do this. Please do suggest one if there is one. However, as for this...
If possible, I'd also like to not have the user enter their password every time they open the application - simply for user convenience. Prompting the password once per user session (or once every time the computer is restarted) seems reasonable.
I thought about doing this by storing something in RAM, or perhaps by storing some kind of hash as a temporary file. However, I haven't been able to come to an actual conclusion yet. Maybe I'm asking for too much. Nevertheless, is there an actual, decent way to implement this? If not, is prompting for a password on every application startup a better idea than going about storing those Twitch keys securely in some other way?
If it matters - for my specific case, I'm using Python 3.7, and I aim to make my application cross-platform (as long as the system supports Python).
encryption hash passwords
asked Nov 24 '18 at 6:05
ViAikViAik
185
I'm somewhat new to data encryption/safety, but I already read about basic concepts like hashing passwords, encrypting files, etc. If possible, please ELI5 - thanks in advance.
Background: my application interacts with a third party (Twitch) using an OAuth key for IRC as well as a Client ID. Both of these can be used to effectively access the application's Twitch account and do anything with it. The keys are sent as plaintext whenever the application establishes a connection with the Twitch servers (which I can't do anything about and it's not really that huge of a problem). My main security concern is about someone getting access to the user's computer and stealing the keys from there.
I'd like to securely store these on the disk so that the user doesn't have to log into Twitch every time they open the application (to retrieve the keys). To do this, my best solution so far was to encrypt the file containing them. The obvious way to do this would be to require a password when the application starts, then use a stored hash+salt to check that password, and use the password (or its hash with a different salt) as a key to decrypt the file.
As said before, I'm new to data protection, so there might be a much better way to do this. Please do suggest one if there is one. However, as for this...
If possible, I'd also like to not have the user enter their password every time they open the application - simply for user convenience. Prompting the password once per user session (or once every time the computer is restarted) seems reasonable.
I thought about doing this by storing something in RAM, or perhaps by storing some kind of hash as a temporary file. However, I haven't been able to come to an actual conclusion yet. Maybe I'm asking for too much. Nevertheless, is there an actual, decent way to implement this? If not, is prompting for a password on every application startup a better idea than going about storing those Twitch keys securely in some other way?
If it matters - for my specific case, I'm using Python 3.7, and I aim to make my application cross-platform (as long as the system supports Python).
encryption hash passwords
encryption hash passwords
asked Nov 24 '18 at 6:05
ViAikViAik
185
asked Nov 24 '18 at 6:05
ViAikViAik
185
asked Nov 24 '18 at 6:05
ViAikViAik
185
asked Nov 24 '18 at 6:05
ViAikViAik
185
asked Nov 24 '18 at 6:05
ViAikViAik
185
185
migrated from stackoverflow.com Nov 30 '18 at 0:08
This question came from our site for professional and enthusiast programmers.
migrated from stackoverflow.com Nov 30 '18 at 0:08
This question came from our site for professional and enthusiast programmers.
Twitch supports OpenID, and the dev page have helpful sample code. You should start there.
– ThoriumBR
Nov 30 '18 at 0:18
@ThoriumBR: OIDC isn't openid, it's oauth with features borrowed from openid. And even if you use it, you still have to store a cookie/token.
– grawity
Nov 30 '18 at 10:24
add a comment |
Twitch supports OpenID, and the dev page have helpful sample code. You should start there.
– ThoriumBR
Nov 30 '18 at 0:18
@ThoriumBR: OIDC isn't openid, it's oauth with features borrowed from openid. And even if you use it, you still have to store a cookie/token.
– grawity
Nov 30 '18 at 10:24
Twitch supports OpenID, and the dev page have helpful sample code. You should start there.
– ThoriumBR
Nov 30 '18 at 0:18
Twitch supports OpenID, and the dev page have helpful sample code. You should start there.
– ThoriumBR
Nov 30 '18 at 0:18
@ThoriumBR: OIDC isn't openid, it's oauth with features borrowed from openid. And even if you use it, you still have to store a cookie/token.
– grawity
Nov 30 '18 at 10:24
@ThoriumBR: OIDC isn't openid, it's oauth with features borrowed from openid. And even if you use it, you still have to store a cookie/token.
– grawity
Nov 30 '18 at 10:24
add a comment |
1 Answer
1
active
oldest
votes
If you want it to be cross-platform, consider using a Python module which provides access to various platforms' existing built-in "keyring" systems. A popular one is called python-keyring.
In all platforms which have a keyring, it is stored encrypted with the user's login password and unlocked in RAM while the user is logged in.
(This isn't super-secure, as technically other programs can also request the same password from the OS... but practically all other "store something in RAM" options would have the same problem, so it's not a downgrade.)
answered Nov 30 '18 at 9:59
grawitygrawity
619415
I actually had no idea that Windows had its own implementation of keyrings - that's what I was actually thinking about before asking this question, I guess I should've researched more. This solution works fine for my case... Thanks for the answer!
– ViAik
Nov 30 '18 at 10:08
Yes – although the python-keyring page implies it's something UWP-specific, but in reality it uses the same 'credential' API that has existed since Windows XP. (I checked, it imports win32cred from PyWin32.)
– grawity
Nov 30 '18 at 10:17
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f198764%2fcan-i-securely-keep-the-user-logged-into-my-local-application-and-use-the-passwo%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
If you want it to be cross-platform, consider using a Python module which provides access to various platforms' existing built-in "keyring" systems. A popular one is called python-keyring.
In all platforms which have a keyring, it is stored encrypted with the user's login password and unlocked in RAM while the user is logged in.
(This isn't super-secure, as technically other programs can also request the same password from the OS... but practically all other "store something in RAM" options would have the same problem, so it's not a downgrade.)
answered Nov 30 '18 at 9:59
grawitygrawity
619415
I actually had no idea that Windows had its own implementation of keyrings - that's what I was actually thinking about before asking this question, I guess I should've researched more. This solution works fine for my case... Thanks for the answer!
– ViAik
Nov 30 '18 at 10:08
Yes – although the python-keyring page implies it's something UWP-specific, but in reality it uses the same 'credential' API that has existed since Windows XP. (I checked, it imports win32cred from PyWin32.)
– grawity
Nov 30 '18 at 10:17
add a comment |
If you want it to be cross-platform, consider using a Python module which provides access to various platforms' existing built-in "keyring" systems. A popular one is called python-keyring.
In all platforms which have a keyring, it is stored encrypted with the user's login password and unlocked in RAM while the user is logged in.
(This isn't super-secure, as technically other programs can also request the same password from the OS... but practically all other "store something in RAM" options would have the same problem, so it's not a downgrade.)
answered Nov 30 '18 at 9:59
grawitygrawity
619415
I actually had no idea that Windows had its own implementation of keyrings - that's what I was actually thinking about before asking this question, I guess I should've researched more. This solution works fine for my case... Thanks for the answer!
– ViAik
Nov 30 '18 at 10:08
Yes – although the python-keyring page implies it's something UWP-specific, but in reality it uses the same 'credential' API that has existed since Windows XP. (I checked, it imports win32cred from PyWin32.)
– grawity
Nov 30 '18 at 10:17
add a comment |
If you want it to be cross-platform, consider using a Python module which provides access to various platforms' existing built-in "keyring" systems. A popular one is called python-keyring.
In all platforms which have a keyring, it is stored encrypted with the user's login password and unlocked in RAM while the user is logged in.
(This isn't super-secure, as technically other programs can also request the same password from the OS... but practically all other "store something in RAM" options would have the same problem, so it's not a downgrade.)
answered Nov 30 '18 at 9:59
grawitygrawity
619415
If you want it to be cross-platform, consider using a Python module which provides access to various platforms' existing built-in "keyring" systems. A popular one is called python-keyring.
In all platforms which have a keyring, it is stored encrypted with the user's login password and unlocked in RAM while the user is logged in.
(This isn't super-secure, as technically other programs can also request the same password from the OS... but practically all other "store something in RAM" options would have the same problem, so it's not a downgrade.)
answered Nov 30 '18 at 9:59
grawitygrawity
619415
answered Nov 30 '18 at 9:59
grawitygrawity
619415
answered Nov 30 '18 at 9:59
grawitygrawity
619415
answered Nov 30 '18 at 9:59
grawitygrawity
619415
619415
I actually had no idea that Windows had its own implementation of keyrings - that's what I was actually thinking about before asking this question, I guess I should've researched more. This solution works fine for my case... Thanks for the answer!
– ViAik
Nov 30 '18 at 10:08
Yes – although the python-keyring page implies it's something UWP-specific, but in reality it uses the same 'credential' API that has existed since Windows XP. (I checked, it imports win32cred from PyWin32.)
– grawity
Nov 30 '18 at 10:17
add a comment |
I actually had no idea that Windows had its own implementation of keyrings - that's what I was actually thinking about before asking this question, I guess I should've researched more. This solution works fine for my case... Thanks for the answer!
– ViAik
Nov 30 '18 at 10:08
Yes – although the python-keyring page implies it's something UWP-specific, but in reality it uses the same 'credential' API that has existed since Windows XP. (I checked, it imports win32cred from PyWin32.)
– grawity
Nov 30 '18 at 10:17
I actually had no idea that Windows had its own implementation of keyrings - that's what I was actually thinking about before asking this question, I guess I should've researched more. This solution works fine for my case... Thanks for the answer!
– ViAik
Nov 30 '18 at 10:08
I actually had no idea that Windows had its own implementation of keyrings - that's what I was actually thinking about before asking this question, I guess I should've researched more. This solution works fine for my case... Thanks for the answer!
– ViAik
Nov 30 '18 at 10:08
Yes – although the python-keyring page implies it's something UWP-specific, but in reality it uses the same 'credential' API that has existed since Windows XP. (I checked, it imports win32cred from PyWin32.)
– grawity
Nov 30 '18 at 10:17
Yes – although the python-keyring page implies it's something UWP-specific, but in reality it uses the same 'credential' API that has existed since Windows XP. (I checked, it imports win32cred from PyWin32.)
– grawity
Nov 30 '18 at 10:17
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f198764%2fcan-i-securely-keep-the-user-logged-into-my-local-application-and-use-the-passwo%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Twitch supports OpenID, and the dev page have helpful sample code. You should start there.
– ThoriumBR
Nov 30 '18 at 0:18
@ThoriumBR: OIDC isn't openid, it's oauth with features borrowed from openid. And even if you use it, you still have to store a cookie/token.
– grawity
Nov 30 '18 at 10:24