Where and how to store password in the electron app?


#1

Hi,

I’d like to store password for some time to make it possible for user of the application to log in once per some time.

In the web application I’m doing it with server-side session and cookies, but what to do in electron?
Is there access to the Chromium’s password storage? I know that google chrome can store the passwords, probably electron also?

Thanks in advance.


How to store private data in electron?
#2

Probably I need to ask on the another forum. Sorry :slight_smile:


#3

I don’t know if I have a useful solution to offer, but what I would say is that storing a plain text password is a terrible idea.

What would be better is generating some kind of token and storing it in localStorage or something instead, and using that to authenticate the session. In fact, if you need an internet connection anyway, you should be able to do it with server-side sessions anyway.

Anything is better than plain text passwords, but I don’t want to give awful security advice, so I’ll shut up now.


#4

I haven’t tried it yet but this is what I bookmarked for this purpose:


#5

In the web application I’m doing it with server-side session and cookies, but what to do in electron?

Are the local and remote accounts connected ? If so you probably want the server to check for password and answer back to your application.

If you want to have a login system local only, node have a crypto module. (Do not confuse with crypto project on npm)

That crypto module implements password based key derivation function 2 pbkdf2. The output of this function can safely be stored in plain text and you can compare those hash to validate function.

Pbkdf2 need a salt, your salt should be made of something unique to the user and something unique from your application. "UserName|ApplicationName"could be a start. Ideal would be a large random number unique per user, but it depend if you have the infrastructure for managing and keeping those secrets. With an attacker that can use the console to view the memory of electron, the simple salt is good enough.

Default API is async. Slow is good against bruteforce.


#6

Guys, thanks for all your answers. I thought that there is something like (Chromium.saveMyPasswordInTheLocalStorage(‘mypass’)), but it’s not possible, AFAIK.

I don’t think that even pbkdf2 will be enough for security rainbow tables are still exist, salt should be stored somewhere near.

But @teleclimber, thanks for node-keytar, it looks very optimistic, I definitely will try it.


#7

rainbow tables are still exist

Yes, but it would need to recompute a different set of each rainbow table for each user == making it not worth it vs brute force.

The keychain will show you in PLAIN TEXT all username and password stored to any admin.