Can I securely keep the user logged into my local application AND use the password as a decryption key?












3















I'm somewhat new to data encryption/safety, but I already read about basic concepts like hashing passwords, encrypting files, etc. If possible, please ELI5 - thanks in advance.



Background: my application interacts with a third party (Twitch) using an OAuth key for IRC as well as a Client ID. Both of these can be used to effectively access the application's Twitch account and do anything with it. The keys are sent as plaintext whenever the application establishes a connection with the Twitch servers (which I can't do anything about and it's not really that huge of a problem). My main security concern is about someone getting access to the user's computer and stealing the keys from there.



I'd like to securely store these on the disk so that the user doesn't have to log into Twitch every time they open the application (to retrieve the keys). To do this, my best solution so far was to encrypt the file containing them. The obvious way to do this would be to require a password when the application starts, then use a stored hash+salt to check that password, and use the password (or its hash with a different salt) as a key to decrypt the file.



As said before, I'm new to data protection, so there might be a much better way to do this. Please do suggest one if there is one. However, as for this...



If possible, I'd also like to not have the user enter their password every time they open the application - simply for user convenience. Prompting the password once per user session (or once every time the computer is restarted) seems reasonable.



I thought about doing this by storing something in RAM, or perhaps by storing some kind of hash as a temporary file. However, I haven't been able to come to an actual conclusion yet. Maybe I'm asking for too much. Nevertheless, is there an actual, decent way to implement this? If not, is prompting for a password on every application startup a better idea than going about storing those Twitch keys securely in some other way?



If it matters - for my specific case, I'm using Python 3.7, and I aim to make my application cross-platform (as long as the system supports Python).










share|improve this question













migrated from stackoverflow.com Nov 30 '18 at 0:08


This question came from our site for professional and enthusiast programmers.



















  • Twitch supports OpenID, and the dev page have helpful sample code. You should start there.

    – ThoriumBR
    Nov 30 '18 at 0:18











  • @ThoriumBR: OIDC isn't openid, it's oauth with features borrowed from openid. And even if you use it, you still have to store a cookie/token.

    – grawity
    Nov 30 '18 at 10:24
















3















I'm somewhat new to data encryption/safety, but I already read about basic concepts like hashing passwords, encrypting files, etc. If possible, please ELI5 - thanks in advance.



Background: my application interacts with a third party (Twitch) using an OAuth key for IRC as well as a Client ID. Both of these can be used to effectively access the application's Twitch account and do anything with it. The keys are sent as plaintext whenever the application establishes a connection with the Twitch servers (which I can't do anything about and it's not really that huge of a problem). My main security concern is about someone getting access to the user's computer and stealing the keys from there.



I'd like to securely store these on the disk so that the user doesn't have to log into Twitch every time they open the application (to retrieve the keys). To do this, my best solution so far was to encrypt the file containing them. The obvious way to do this would be to require a password when the application starts, then use a stored hash+salt to check that password, and use the password (or its hash with a different salt) as a key to decrypt the file.



As said before, I'm new to data protection, so there might be a much better way to do this. Please do suggest one if there is one. However, as for this...



If possible, I'd also like to not have the user enter their password every time they open the application - simply for user convenience. Prompting the password once per user session (or once every time the computer is restarted) seems reasonable.



I thought about doing this by storing something in RAM, or perhaps by storing some kind of hash as a temporary file. However, I haven't been able to come to an actual conclusion yet. Maybe I'm asking for too much. Nevertheless, is there an actual, decent way to implement this? If not, is prompting for a password on every application startup a better idea than going about storing those Twitch keys securely in some other way?



If it matters - for my specific case, I'm using Python 3.7, and I aim to make my application cross-platform (as long as the system supports Python).










share|improve this question













migrated from stackoverflow.com Nov 30 '18 at 0:08


This question came from our site for professional and enthusiast programmers.



















  • Twitch supports OpenID, and the dev page have helpful sample code. You should start there.

    – ThoriumBR
    Nov 30 '18 at 0:18











  • @ThoriumBR: OIDC isn't openid, it's oauth with features borrowed from openid. And even if you use it, you still have to store a cookie/token.

    – grawity
    Nov 30 '18 at 10:24














3












3








3








I'm somewhat new to data encryption/safety, but I already read about basic concepts like hashing passwords, encrypting files, etc. If possible, please ELI5 - thanks in advance.



Background: my application interacts with a third party (Twitch) using an OAuth key for IRC as well as a Client ID. Both of these can be used to effectively access the application's Twitch account and do anything with it. The keys are sent as plaintext whenever the application establishes a connection with the Twitch servers (which I can't do anything about and it's not really that huge of a problem). My main security concern is about someone getting access to the user's computer and stealing the keys from there.



I'd like to securely store these on the disk so that the user doesn't have to log into Twitch every time they open the application (to retrieve the keys). To do this, my best solution so far was to encrypt the file containing them. The obvious way to do this would be to require a password when the application starts, then use a stored hash+salt to check that password, and use the password (or its hash with a different salt) as a key to decrypt the file.



As said before, I'm new to data protection, so there might be a much better way to do this. Please do suggest one if there is one. However, as for this...



If possible, I'd also like to not have the user enter their password every time they open the application - simply for user convenience. Prompting the password once per user session (or once every time the computer is restarted) seems reasonable.



I thought about doing this by storing something in RAM, or perhaps by storing some kind of hash as a temporary file. However, I haven't been able to come to an actual conclusion yet. Maybe I'm asking for too much. Nevertheless, is there an actual, decent way to implement this? If not, is prompting for a password on every application startup a better idea than going about storing those Twitch keys securely in some other way?



If it matters - for my specific case, I'm using Python 3.7, and I aim to make my application cross-platform (as long as the system supports Python).










share|improve this question














I'm somewhat new to data encryption/safety, but I already read about basic concepts like hashing passwords, encrypting files, etc. If possible, please ELI5 - thanks in advance.



Background: my application interacts with a third party (Twitch) using an OAuth key for IRC as well as a Client ID. Both of these can be used to effectively access the application's Twitch account and do anything with it. The keys are sent as plaintext whenever the application establishes a connection with the Twitch servers (which I can't do anything about and it's not really that huge of a problem). My main security concern is about someone getting access to the user's computer and stealing the keys from there.



I'd like to securely store these on the disk so that the user doesn't have to log into Twitch every time they open the application (to retrieve the keys). To do this, my best solution so far was to encrypt the file containing them. The obvious way to do this would be to require a password when the application starts, then use a stored hash+salt to check that password, and use the password (or its hash with a different salt) as a key to decrypt the file.



As said before, I'm new to data protection, so there might be a much better way to do this. Please do suggest one if there is one. However, as for this...



If possible, I'd also like to not have the user enter their password every time they open the application - simply for user convenience. Prompting the password once per user session (or once every time the computer is restarted) seems reasonable.



I thought about doing this by storing something in RAM, or perhaps by storing some kind of hash as a temporary file. However, I haven't been able to come to an actual conclusion yet. Maybe I'm asking for too much. Nevertheless, is there an actual, decent way to implement this? If not, is prompting for a password on every application startup a better idea than going about storing those Twitch keys securely in some other way?



If it matters - for my specific case, I'm using Python 3.7, and I aim to make my application cross-platform (as long as the system supports Python).







encryption hash passwords






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 24 '18 at 6:05









ViAikViAik

185




185




migrated from stackoverflow.com Nov 30 '18 at 0:08


This question came from our site for professional and enthusiast programmers.









migrated from stackoverflow.com Nov 30 '18 at 0:08


This question came from our site for professional and enthusiast programmers.















  • Twitch supports OpenID, and the dev page have helpful sample code. You should start there.

    – ThoriumBR
    Nov 30 '18 at 0:18











  • @ThoriumBR: OIDC isn't openid, it's oauth with features borrowed from openid. And even if you use it, you still have to store a cookie/token.

    – grawity
    Nov 30 '18 at 10:24



















  • Twitch supports OpenID, and the dev page have helpful sample code. You should start there.

    – ThoriumBR
    Nov 30 '18 at 0:18











  • @ThoriumBR: OIDC isn't openid, it's oauth with features borrowed from openid. And even if you use it, you still have to store a cookie/token.

    – grawity
    Nov 30 '18 at 10:24

















Twitch supports OpenID, and the dev page have helpful sample code. You should start there.

– ThoriumBR
Nov 30 '18 at 0:18





Twitch supports OpenID, and the dev page have helpful sample code. You should start there.

– ThoriumBR
Nov 30 '18 at 0:18













@ThoriumBR: OIDC isn't openid, it's oauth with features borrowed from openid. And even if you use it, you still have to store a cookie/token.

– grawity
Nov 30 '18 at 10:24





@ThoriumBR: OIDC isn't openid, it's oauth with features borrowed from openid. And even if you use it, you still have to store a cookie/token.

– grawity
Nov 30 '18 at 10:24










1 Answer
1






active

oldest

votes


















1














If you want it to be cross-platform, consider using a Python module which provides access to various platforms' existing built-in "keyring" systems. A popular one is called python-keyring.



In all platforms which have a keyring, it is stored encrypted with the user's login password and unlocked in RAM while the user is logged in.



(This isn't super-secure, as technically other programs can also request the same password from the OS... but practically all other "store something in RAM" options would have the same problem, so it's not a downgrade.)






share|improve this answer
























  • I actually had no idea that Windows had its own implementation of keyrings - that's what I was actually thinking about before asking this question, I guess I should've researched more. This solution works fine for my case... Thanks for the answer!

    – ViAik
    Nov 30 '18 at 10:08











  • Yes – although the python-keyring page implies it's something UWP-specific, but in reality it uses the same 'credential' API that has existed since Windows XP. (I checked, it imports win32cred from PyWin32.)

    – grawity
    Nov 30 '18 at 10:17













Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f198764%2fcan-i-securely-keep-the-user-logged-into-my-local-application-and-use-the-passwo%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









1














If you want it to be cross-platform, consider using a Python module which provides access to various platforms' existing built-in "keyring" systems. A popular one is called python-keyring.



In all platforms which have a keyring, it is stored encrypted with the user's login password and unlocked in RAM while the user is logged in.



(This isn't super-secure, as technically other programs can also request the same password from the OS... but practically all other "store something in RAM" options would have the same problem, so it's not a downgrade.)






share|improve this answer
























  • I actually had no idea that Windows had its own implementation of keyrings - that's what I was actually thinking about before asking this question, I guess I should've researched more. This solution works fine for my case... Thanks for the answer!

    – ViAik
    Nov 30 '18 at 10:08











  • Yes – although the python-keyring page implies it's something UWP-specific, but in reality it uses the same 'credential' API that has existed since Windows XP. (I checked, it imports win32cred from PyWin32.)

    – grawity
    Nov 30 '18 at 10:17


















1














If you want it to be cross-platform, consider using a Python module which provides access to various platforms' existing built-in "keyring" systems. A popular one is called python-keyring.



In all platforms which have a keyring, it is stored encrypted with the user's login password and unlocked in RAM while the user is logged in.



(This isn't super-secure, as technically other programs can also request the same password from the OS... but practically all other "store something in RAM" options would have the same problem, so it's not a downgrade.)






share|improve this answer
























  • I actually had no idea that Windows had its own implementation of keyrings - that's what I was actually thinking about before asking this question, I guess I should've researched more. This solution works fine for my case... Thanks for the answer!

    – ViAik
    Nov 30 '18 at 10:08











  • Yes – although the python-keyring page implies it's something UWP-specific, but in reality it uses the same 'credential' API that has existed since Windows XP. (I checked, it imports win32cred from PyWin32.)

    – grawity
    Nov 30 '18 at 10:17
















1












1








1







If you want it to be cross-platform, consider using a Python module which provides access to various platforms' existing built-in "keyring" systems. A popular one is called python-keyring.



In all platforms which have a keyring, it is stored encrypted with the user's login password and unlocked in RAM while the user is logged in.



(This isn't super-secure, as technically other programs can also request the same password from the OS... but practically all other "store something in RAM" options would have the same problem, so it's not a downgrade.)






share|improve this answer













If you want it to be cross-platform, consider using a Python module which provides access to various platforms' existing built-in "keyring" systems. A popular one is called python-keyring.



In all platforms which have a keyring, it is stored encrypted with the user's login password and unlocked in RAM while the user is logged in.



(This isn't super-secure, as technically other programs can also request the same password from the OS... but practically all other "store something in RAM" options would have the same problem, so it's not a downgrade.)







share|improve this answer












share|improve this answer



share|improve this answer










answered Nov 30 '18 at 9:59









grawitygrawity

619415




619415













  • I actually had no idea that Windows had its own implementation of keyrings - that's what I was actually thinking about before asking this question, I guess I should've researched more. This solution works fine for my case... Thanks for the answer!

    – ViAik
    Nov 30 '18 at 10:08











  • Yes – although the python-keyring page implies it's something UWP-specific, but in reality it uses the same 'credential' API that has existed since Windows XP. (I checked, it imports win32cred from PyWin32.)

    – grawity
    Nov 30 '18 at 10:17





















  • I actually had no idea that Windows had its own implementation of keyrings - that's what I was actually thinking about before asking this question, I guess I should've researched more. This solution works fine for my case... Thanks for the answer!

    – ViAik
    Nov 30 '18 at 10:08











  • Yes – although the python-keyring page implies it's something UWP-specific, but in reality it uses the same 'credential' API that has existed since Windows XP. (I checked, it imports win32cred from PyWin32.)

    – grawity
    Nov 30 '18 at 10:17



















I actually had no idea that Windows had its own implementation of keyrings - that's what I was actually thinking about before asking this question, I guess I should've researched more. This solution works fine for my case... Thanks for the answer!

– ViAik
Nov 30 '18 at 10:08





I actually had no idea that Windows had its own implementation of keyrings - that's what I was actually thinking about before asking this question, I guess I should've researched more. This solution works fine for my case... Thanks for the answer!

– ViAik
Nov 30 '18 at 10:08













Yes – although the python-keyring page implies it's something UWP-specific, but in reality it uses the same 'credential' API that has existed since Windows XP. (I checked, it imports win32cred from PyWin32.)

– grawity
Nov 30 '18 at 10:17







Yes – although the python-keyring page implies it's something UWP-specific, but in reality it uses the same 'credential' API that has existed since Windows XP. (I checked, it imports win32cred from PyWin32.)

– grawity
Nov 30 '18 at 10:17




















draft saved

draft discarded




















































Thanks for contributing an answer to Information Security Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f198764%2fcan-i-securely-keep-the-user-logged-into-my-local-application-and-use-the-passwo%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

404 Error Contact Form 7 ajax form submitting

How to know if a Active Directory user can login interactively

TypeError: fit_transform() missing 1 required positional argument: 'X'