What's the best way to store a user password?

Reply to What's the best way to store a user password? on Thu, 01 May 2025 20:18:19 GMT

arubislander — Thu, 01 May 2025 20:18:19 GMT

@adorsaz said in What's the best way to store a user password?:

Although, IIRC Ubuntu Touch lets user use phone without password/pin code. Maybe this is the reason such service is not provided to app developpers ?

Ubuntu desktop also allows passwordless login. So that in itself is not the reason there is no implementation of libsecret on UT. The real reason is probably simply that none was implemented as yet.

Reply to What's the best way to store a user password? on Thu, 01 May 2025 18:25:57 GMT

adorsaz — Thu, 01 May 2025 18:25:57 GMT

@AppLee another way for application developpers is by using the libsecret protocol to ask a user session service to store sensitive data. Gnome-keyring is such a service which creates by default a key store locked by the current user password.

IIIRC the KDE/plasma service is named kwallet.

Although, IIRC Ubuntu Touch lets user use phone without password/pin code. Maybe this is the reason such service is not provided to app developpers ?

Reply to What's the best way to store a user password? on Thu, 01 May 2025 16:13:27 GMT

AppLee — Thu, 01 May 2025 16:13:27 GMT

@Vlad-Nirky said in What's the best way to store a user password?:

Isn't it a problem for any operating system ?

For proprietary OS, they can easily work around it by integrating a secret in the binary and only the authenticated user can make use of this secret to access sensitive data.
It's not the best, but it's pretty good.
Or they can rely on security cores to store all the user's secrets in it and grant access only to a trusted piece of code made by the developer of the OS then it's up to the OS to check the user's credentials before accessing the sensitive data.
This is widely used nowadays but do you trust the OS developer with your secrets?

Reply to What's the best way to store a user password? on Thu, 01 May 2025 16:12:54 GMT

arubislander — Thu, 01 May 2025 16:12:54 GMT

@AppLee Originally Online accounts could potentially be used for this. But I have never been able to figure out how to add a custom plugin for an app

Reply to What's the best way to store a user password? on Thu, 01 May 2025 14:41:01 GMT

Vlad Nirky — Thu, 01 May 2025 14:41:01 GMT

@AppLee
Isn't it a problem for any operating system ?
I thougt that keepass provide API to access the password database.

Reply to What's the best way to store a user password? on Thu, 01 May 2025 14:02:27 GMT

AppLee — Thu, 01 May 2025 14:02:27 GMT

Hi @Vlad-Nirky

OP wanted a secure way to store user's password for the app to use.
That's an issue with Ubuntu Touch as if a malicious actor can figure out the encryption method used and the key just by reading the sources.
A solution would require a way to encrypt the password and ensure that only the intended and unaltered app can access it.

Non trivial.

Reply to What's the best way to store a user password? on Wed, 30 Apr 2025 05:38:01 GMT

Vlad Nirky — Wed, 30 Apr 2025 05:38:01 GMT

@mchub
I use keepassxc and it works well.
I share the database between all my devices.
It's not working on Noble yet...

Reply to What's the best way to store a user password? on Tue, 29 Apr 2025 20:04:19 GMT

*mchub — Tue, 29 Apr 2025 20:04:19 GMT

Storing passwords in plain text isn’t ideal, even locally. Since you need to retrieve it later, you could encrypt it using something like AES tied to the username or device info. Also, make sure the file has strict permissions.

Reply to What's the best way to store a user password? on Sat, 16 Nov 2024 00:37:42 GMT

arubislander — Sat, 16 Nov 2024 00:37:42 GMT

@gwado Ah, Nextcloud music provides a Subsonic API. I was not aware.

Reply to What's the best way to store a user password? on Fri, 15 Nov 2024 21:57:20 GMT

gwado — Fri, 15 Nov 2024 21:57:20 GMT

@arubislander the Nextcloud API does not allow you to retrieve Ampache/Subsonic identifiers from the Music application.

Reply to What's the best way to store a user password? on Tue, 12 Nov 2024 15:38:53 GMT

arubislander — Tue, 12 Nov 2024 15:38:53 GMT

@gwado There is a nextcloud plugin in the Online Accounts setting. Could you not integrate your app with that?

Here's some documentation to read up on about the Online Accounts[1]. It is still the old Canonical documentation, but I could not find the UBports mirror.

https://phone.docs.ubuntu.com/en/platform/guides/online-accounts-developer-guide

Reply to What's the best way to store a user password? on Tue, 12 Nov 2024 13:49:13 GMT

uxes — Tue, 12 Nov 2024 13:49:13 GMT

dont you just get some token for login and store it, refresh it? i mean nextcloud desktop app is not asking me for password every run, and that is about all the stuff with oauth

Reply to What's the best way to store a user password? on Tue, 12 Nov 2024 05:49:26 GMT

ikoz — Tue, 12 Nov 2024 05:49:26 GMT

@gwado You could encrypt it with username and salt it. You could use something like PGP for that. The best way would be to save it to a file with read only permissions and owned by root.
Does nextcloud support public-private key login? That would be ideal.

For QML, there is the settings component which saves the variables in a file, but the content isn't readable with a simple cat (IIRC).

There is a lot more information in this Unix stackexchange thread.