How to store passwords in a Qt application



  • My application needs to store username and passwords. Is there some way to store the passwords securely. QSettings simply uses a text file, which can't serve the purpose!


  • Moderators

    You should never store passwords! There is no way to do that securely, not in Qt nor in anywhere else!

    Generate a random number (salt, the more bits the better), add the password from the user and run a secure hash (not MD5 or something similar weak) on that data a couple hundred times (which makes brute-forcing more expensive). Store the result. You can use QSettings or a plain text file as it is very hard to get from that data back to the original password.



  • Actually, i don't need to store password to validate the user later. My application stores usernames/passwords of my online accounts and provides for an automatic login. How will i get back the password for login if I use MD5 or SHA.


  • Moderators

    Oh, that is different: That just can't be done in a secure way:-)

    All you can do is encrypt the data before writing it to disk. But since your application needs to access it you are basically stuck at having it in a retrievable format. You could do so e.g. by storing a encrypted bytearray in QSettings. I am not sure whether going for real encryption is necessary or whether something more simple will suffice: Encryption only makes sense together with a "master password" the user provides.

    You could try to investigate whether the online services you care about are able to authenticate applications. Twitter and many similar services allow for that.



  • Actually i don't require any real encryption. I suppose creating a simple reversible encryption algorithm on my own would suffice. Thanks! for your suggestions


  • Moderators

    Andre has posted some class for "basic obscuring of data":http://qt-project.org/wiki/Simple_encryption a while back. I would not call it encryption:-)



  • Use RSA or AES Encryption, RSA will provide you with a public and a private key, and as long as the key is long enough, it should be quite save (unless someone gets your private key).

    Qt has afaik no implementation of such, but Poco Libaries do. Poco is licensed under boost opensource license, so you should be able to use it in your project quite easily.



  • bq. Andre has posted some class for basic obscuring of data [qt-project.org] a while back. I would not call it encryption:-)

    This is exactly what i was looking for. But my application is closed source, proprietary. There is not enough licensing information given there. Is it GPL or LGPL. Can i use the code directly in my closed source app or i should first create a shared library and link that library with my code if it is LGPL.


  • Moderators

    adnan: Ask "Andre":https://qt-project.org/member/438 , he wrote it:-)

    codenode: Both RSA and AES provide strong encryption, but in this use case it does not really improve security by much. The application needs to decrypt the data again to retrieve the password, so it must have access to the private key. If the application has access to it, then an attacker can get it as well.

    Even with a simple obfuscation most attackers will analyse the code to get to the plain text instead of staring at the obfuscated text. Exactly the same approach will also help when using real encryption in this use case.



  • Hi,

    The license is a BSD license: you're free to use it. In your case, since you're only distributing binairies, you only need to make an attribution in your about box, documentation or something like that, in which you repeat the license text as in the code. You're free to change the code as you see fit.

    I hope the code fits your purpose. Tobias would not call it encryption, I am less modest. It is encryption, just not the strongest you can get :-)



  • I am sorry, its still not clear. Can i directly include your header and cpp files in my code. In my About dialog i already have a license to display, am i supposed to add two licenses the other displaying the following license:
    @/*
    Copyright (c) 2011, Andre Somers
    All rights reserved.

    Redistribution and use in source and binary forms, with or without
    modification, are permitted provided that the following conditions are met:
    * Redistributions of source code must retain the above copyright
    notice, this list of conditions and the following disclaimer.
    * Redistributions in binary form must reproduce the above copyright
    notice, this list of conditions and the following disclaimer in the
    documentation and/or other materials provided with the distribution.
    * Neither the name of the Rathenau Instituut, Andre Somers nor the
    names of its contributors may be used to endorse or promote products
    derived from this software without specific prior written permission.

    THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
    ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
    WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
    DISCLAIMED. IN NO EVENT SHALL ANDRE SOMERS BE LIABLE FOR ANY
    DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
    (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
    LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
    ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
    (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
    SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    */@

    But this license doesn't mention what is being licensed



  • Yes, you can directly include the code in your project, either as-is or modified to your needs. Just don't claim you wrote it :-)

    You're correct you're supposed to include the license as you quoted. You may use something like this:

    [quote]
    This application contains code copyrighted by André Somers. For this code, the following license applies:

    <the license text>
    [/quote]

    Note that this is quite a standard (and I thought: common) license. I did not make up the above myself :-) I am suprised it confuses people as much as it seems to do.



  • Thanks for your reply! Its clear now



  • You're welcome. Good luck with your project!


Log in to reply
 

Looks like your connection to Qt Forum was lost, please wait while we try to reconnect.