Hi, by now it seems to be common knowledge that passwords shouldn’t be stored in a database. Backend devs generally know to hash and salt and what-not their transmitted passwords. It seems to be well documented.

However, I wasn’t exactly able to find such a clear answer for client applications accessing e.g. web APIs. For example, lets assume you were to create a Lemmy desktop application with support for multiple accounts. Ideally, that software would work like a password manager and store its master password as hash only.

However(2), sometimes users like to start said application without entering their password. Like an Email client in pleb mode. Which requires the passwords to be stored somewhere. In this case, what is the best course of action?

  • 0x0@programming.dev
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    You can password-protect a SQLite database, although you’d have to store the password within the app which raises other issues.

    • TheCee@programming.devOP
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      Yes, every approach seems to be limited in that an attacker could steal the password or token indirectly. So the safest bet is probably making storing passwords opt-in for each user.