volaya
commented
10 years ago How hard do you think that it would be to move this upstream to QGIS? QGIS also stores passwords in plain text (it warns you about that, though).
Open ischneider opened 10 years ago
volaya
commented
10 years ago How hard do you think that it would be to move this upstream to QGIS? QGIS also stores passwords in plain text (it warns you about that, though).
volaya
commented
10 years ago The plugin documentation now clearly states that passwords are stored and you should disable saving previous catalogs if you do not like that. Maybe we should add a more explicit warning in the UI about that while we have no encription implemented?
ischneider
commented
10 years ago A simple approach would be to provide a default service based on http://twhiteman.netfirms.com/des.html (26k pure python)
Security provided by this default service would have the flaw that any key used for encryption would be plaintext itself but this would at least provide minimal protection.
The service class would have a simple interface:
def encrypt(text):
'return base64 encoded version of `text`'
def decrypt(text):
'accept base64 encoded `text` and return decrypted text'The service class could be configurable by a setting or environment variable to allow creation of a different provider.
The stored setting string could be prefixed with the name of the service to support migration. If the stored info doesn't match the configured service then the user could be alerted and the password returned as a blank string.
plaintext storage is no good
http://stackoverflow.com/questions/7977047/whats-the-best-practice-to-store-password-and-username-in-a-pyqt-program
pycrypto might be an option, too but hooking into a keyring would be sweetest