Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not save password #2

Open
lopezjurip opened this issue Mar 17, 2017 · 2 comments
Open

Do not save password #2

lopezjurip opened this issue Mar 17, 2017 · 2 comments
Labels
enhancement help wanted

Comments

@lopezjurip
Copy link
Member

Currently the cli saves the password to ~/.sincding/data.json in plain text.
I would recommend to ask for it every time it is needed.
@negebauer
Copy link
Member

Maybe an option so the user can choose whether to save it or not
If it is saved, we should have a more secure way of doing so
Using machine keychain? Maybe encrypting it?

@jecastro1
Copy link

I tried to use a keychain. The password can be retrieved by any instance of the binary that created it. Unfortunately, in this case that binary is node, so any program running over it would be able to get the password.

Also, I don't think that encryption is practical, as you'll need a secret to encrypt (another password).

So, for now I see these options:

  1. Just ask for the password every time
  2. Distribute this program with its own binary, and implement the keychain thing
  3. Implement anyway the keychain integration, even if it is not safe. At least the attacker should use node.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jecastro1 @lopezjurip @negebauer