What's the best way to store a user password?

gwado

@arubislander the Nextcloud API does not allow you to retrieve Ampache/Subsonic identifiers from the Music application.

arubislander

@gwado Ah, Nextcloud music provides a Subsonic API. I was not aware.

*mchub

Storing passwords in plain text isn’t ideal, even locally. Since you need to retrieve it later, you could encrypt it using something like AES tied to the username or device info. Also, make sure the file has strict permissions.

Vlad Nirky

@mchub
I use keepassxc and it works well.
I share the database between all my devices.
It's not working on Noble yet...

AppLee

Hi @Vlad-Nirky

OP wanted a secure way to store user's password for the app to use.
That's an issue with Ubuntu Touch as if a malicious actor can figure out the encryption method used and the key just by reading the sources.
A solution would require a way to encrypt the password and ensure that only the intended and unaltered app can access it.

Non trivial.

Vlad Nirky

@AppLee
Isn't it a problem for any operating system ?
I thougt that keepass provide API to access the password database.

arubislander

@AppLee Originally Online accounts could potentially be used for this. But I have never been able to figure out how to add a custom plugin for an app

AppLee

@Vlad-Nirky said in What's the best way to store a user password?:

Isn't it a problem for any operating system ?

For proprietary OS, they can easily work around it by integrating a secret in the binary and only the authenticated user can make use of this secret to access sensitive data.
It's not the best, but it's pretty good.
Or they can rely on security cores to store all the user's secrets in it and grant access only to a trusted piece of code made by the developer of the OS then it's up to the OS to check the user's credentials before accessing the sensitive data.
This is widely used nowadays but do you trust the OS developer with your secrets?

adorsaz

@AppLee another way for application developpers is by using the libsecret protocol to ask a user session service to store sensitive data. Gnome-keyring is such a service which creates by default a key store locked by the current user password.

IIIRC the KDE/plasma service is named kwallet.

Although, IIRC Ubuntu Touch lets user use phone without password/pin code. Maybe this is the reason such service is not provided to app developpers ?

arubislander

@adorsaz said in What's the best way to store a user password?:

Although, IIRC Ubuntu Touch lets user use phone without password/pin code. Maybe this is the reason such service is not provided to app developpers ?

Ubuntu desktop also allows passwordless login. So that in itself is not the reason there is no implementation of libsecret on UT. The real reason is probably simply that none was implemented as yet.