search

open-source-uc / sincding

Download your Siding files
https://www.npmjs.com/package/sincding
MIT License
24 stars 3 forks source link

Do not save password #2

Open lopezjurip opened 7 years ago

lopezjurip commented 7 years ago

Currently the cli saves the password to ~/.sincding/data.json in plain text. I would recommend to ask for it every time it is needed.

negebauer commented 7 years ago

Maybe an option so the user can choose whether to save it or not If it is saved, we should have a more secure way of doing so Using machine keychain? Maybe encrypting it?

jecastro1 commented 6 years ago

I tried to use a keychain. The password can be retrieved by any instance of the binary that created it. Unfortunately, in this case that binary is node, so any program running over it would be able to get the password.

Also, I don't think that encryption is practical, as you'll need a secret to encrypt (another password).

So, for now I see these options:

  1. Just ask for the password every time
  2. Distribute this program with its own binary, and implement the keychain thing
  3. Implement anyway the keychain integration, even if it is not safe. At least the attacker should use node.