Save passwords and account information in an encrypted form #6
Comments
|
Well, we probably want to do something to save configuration data, including things like TLS fingerprints and other stuff like it - basically, I think the whole config file should optionally be encrypted so you can save all your account information in one place, and then not have to enter all the info every time. xmpp-client already saves passwords, but in a plain text file. |
olabini
changed the title
|
Jitsi use masterpassword approach. |
|
When we do this, we should use something like bcrypt/scrypt to make the unlocking of the file take 0.5-1s - we can then cache the bcrypted value in memory for the duration of the program so we don't have to redo it every time we save the config file. We might also give the user the possibility of turning off the caching and always ask for the password when reading or saving the file. |
|
We should use scrypt for this. We save the parameters first in the file and then use scrypt to generate a good AES-128 or 256 key and encrypt the whole file. |
|
BTW, that Jitsi thing is a bit scary - fixed salt, fixed amount of iterations and it uses ECB. We should definitely not follow that pattern. |
|
OK, working on this today. These are the sub tasks:
|
|
This has been fixed. The only thing you can't do is set up encrypted storage using the CLI, and since the CLI can't store the account passwords either, I tihnk that's fine for now. |
Should we really save passwords? Is this only interesting on a multi-account scenario?
The text was updated successfully, but these errors were encountered: