Unnecessary Crypto

[pritambaral]

Encryption is only as secure as the key

You're storing something on the user's disk, but encrypting it with a key that is open for the public to see. The key also happens to be stored on the same disk, BTW.

Conclusion: the encryption is pointless.

PS: DES is also long broken, BTW. If you ever need to use symmetric crypto in a real situation, don't use DES. For now, AES-128 should do.

[pritambaral]

Don't worry about storing the key on the disk in plaintext. Any sane cryptographer would tell you that is indeed the correct thing to do. The user's computer is supposed to be the ultimate point of trust, because it is (in today's personal computing world).

If someone has access to the user's disk, (sometimes called "physical access" in colloquial crypto jargon, but even remote access to disk is sufficient here), they can:

1. Obtain the key used for the encryption;
2. Replace a program which the user trusts and would just type the password into, if asked; or
3. In any of a myriad ways pwn them.

[nihal111]

The entire reason for keeping the encryption was just to prevent any prying eyes who manually open Cred.txt from getting the password directly. We do realize that the key is public and the password can be decrypted easily.