UBports Robot Logo UBports Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    What's the best way to store a user password?

    Scheduled Pinned Locked Moved App Development
    14 Posts 8 Posters 590 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
      Reply
      • Reply as topic
      Log in to reply
      This topic has been deleted. Only users with topic management privileges can see it.
      • gwadoG Offline
        gwado @arubislander
        last edited by

        @arubislander the Nextcloud API does not allow you to retrieve Ampache/Subsonic identifiers from the Music application.

        arubislanderA 1 Reply Last reply Reply Quote 0
        • arubislanderA Offline
          arubislander @gwado
          last edited by

          @gwado Ah, Nextcloud music provides a Subsonic API. I was not aware.

          πŸ‡¦πŸ‡Ό πŸ‡³πŸ‡± πŸ‡ΊπŸ‡Έ πŸ‡ͺπŸ‡Έ
          Happily running Ubuntu Touch
          Google Pixel 3a (20.04 DEV)
          JingPad (24.04 preview)
          Meizu Pro 5 (16.04 DEV)

          1 Reply Last reply Reply Quote 0
          • * Offline
            *mchub Banned
            last edited by

            Storing passwords in plain text isn’t ideal, even locally. Since you need to retrieve it later, you could encrypt it using something like AES tied to the username or device info. Also, make sure the file has strict permissions.

            Vlad NirkyV 1 Reply Last reply Reply Quote 0
            • Vlad NirkyV Offline
              Vlad Nirky @*mchub
              last edited by Vlad Nirky

              @mchub
              I use keepassxc and it works well.
              I share the database between all my devices.
              It's not working on Noble yet...

              AppLeeA 1 Reply Last reply Reply Quote 0
              • AppLeeA Offline
                AppLee @Vlad Nirky
                last edited by

                Hi @Vlad-Nirky

                OP wanted a secure way to store user's password for the app to use.
                That's an issue with Ubuntu Touch as if a malicious actor can figure out the encryption method used and the key just by reading the sources.
                A solution would require a way to encrypt the password and ensure that only the intended and unaltered app can access it.

                Non trivial.

                Vlad NirkyV arubislanderA 2 Replies Last reply Reply Quote 0
                • Vlad NirkyV Offline
                  Vlad Nirky @AppLee
                  last edited by

                  @AppLee
                  Isn't it a problem for any operating system ?
                  I thougt that keepass provide API to access the password database.

                  AppLeeA 1 Reply Last reply Reply Quote 0
                  • arubislanderA Offline
                    arubislander @AppLee
                    last edited by

                    @AppLee Originally Online accounts could potentially be used for this. But I have never been able to figure out how to add a custom plugin for an app

                    πŸ‡¦πŸ‡Ό πŸ‡³πŸ‡± πŸ‡ΊπŸ‡Έ πŸ‡ͺπŸ‡Έ
                    Happily running Ubuntu Touch
                    Google Pixel 3a (20.04 DEV)
                    JingPad (24.04 preview)
                    Meizu Pro 5 (16.04 DEV)

                    1 Reply Last reply Reply Quote 1
                    • AppLeeA Offline
                      AppLee @Vlad Nirky
                      last edited by

                      @Vlad-Nirky said in What's the best way to store a user password?:

                      Isn't it a problem for any operating system ?

                      For proprietary OS, they can easily work around it by integrating a secret in the binary and only the authenticated user can make use of this secret to access sensitive data.
                      It's not the best, but it's pretty good.
                      Or they can rely on security cores to store all the user's secrets in it and grant access only to a trusted piece of code made by the developer of the OS then it's up to the OS to check the user's credentials before accessing the sensitive data.
                      This is widely used nowadays but do you trust the OS developer with your secrets?

                      A 1 Reply Last reply Reply Quote 0
                      • A Offline
                        adorsaz @AppLee
                        last edited by adorsaz

                        @AppLee another way for application developpers is by using the libsecret protocol to ask a user session service to store sensitive data. Gnome-keyring is such a service which creates by default a key store locked by the current user password.

                        IIIRC the KDE/plasma service is named kwallet.

                        Although, IIRC Ubuntu Touch lets user use phone without password/pin code. Maybe this is the reason such service is not provided to app developpers ?

                        arubislanderA 1 Reply Last reply Reply Quote 0
                        • arubislanderA Offline
                          arubislander @adorsaz
                          last edited by

                          @adorsaz said in What's the best way to store a user password?:

                          Although, IIRC Ubuntu Touch lets user use phone without password/pin code. Maybe this is the reason such service is not provided to app developpers ?

                          Ubuntu desktop also allows passwordless login. So that in itself is not the reason there is no implementation of libsecret on UT. The real reason is probably simply that none was implemented as yet.

                          πŸ‡¦πŸ‡Ό πŸ‡³πŸ‡± πŸ‡ΊπŸ‡Έ πŸ‡ͺπŸ‡Έ
                          Happily running Ubuntu Touch
                          Google Pixel 3a (20.04 DEV)
                          JingPad (24.04 preview)
                          Meizu Pro 5 (16.04 DEV)

                          1 Reply Last reply Reply Quote 1
                          • First post
                            Last post