Storing passwords


#1

I’m thinking of writing a package which would require the user to input username and password which will be used towards an external service on the web. The package would integrate towards this service. Is there any reasonable secure way I could achieve this? A simple configuration variable does not seem good enough since the config file is generally readable by anyone on the system where Atom is installed.

The service supports sessions, but they have a limited timespan and not a permanent solution.

The service does not support tokens (which would be ideal - just as github and travis-ci-status does).


How do I save/store my package data in Atom?
How to store passwords in a config field?
#2

I would recommend against storing them in the Atom configuration store. I would also recommend against storing passwords or tokens in the ~/.atom directory because some folks (myself included) like to share their dotfiles or Atom directory in public GitHub repositories. I’ve generally stored tokens or passwords in a file in the home directory by default and made the storage location configurable.


#3

There’s that as well.

I was thinking about something that most ssh implementations does. Have the password in cleartext (in a file somewhere which my package keeps track of, e.g. ~/.packageName/config, and refuse to use it if the modifiers are not 0 for both group and all. That way only the current user can read it.


#4

I would not expect it to work on Windows though…