I need to keep your login details secure, this is important, not only do I need to keep your login details secure, I need to keep mine secure as well.
My biggest worry can be summed up by a simple whirlpool thread:
Extract password from MUM….
Is there any easy way to do it? I’ve already noticed it encrypts it into the registry.
If mum or dad have my program installed on their computer, and junior wants to get the ISP username and password to purchase datablocks, upgrade the plan or do something which has a real world impact, one of the places they are going to look is the usage meter.
MUM has an advantage here, it’s encrypted the password and stored it in a registry key (which is all well and good), but it’s also closed source, so even if the password was just being stored as an md5 plus salt, no one can easily get the salt without reverse engineering the software which is unliklely so essentially the password is out of reach for junior, and coincidentally everyone else.
So my thought process is that this works well, lets do that. One of the issues with an open source program is that if I did use MD5 and a simple salt that would be quickly retriveable. Hence my delima, no simple encryption technique will hold water with anyone who could spoil it for others by simply posting the formula for decryption in a forum post.
I spent about 6 hours trying various encryption and decryption methods but none really worked.
Then I remembered Gnome Keyring.
As you can see, the API is as easy as it could possible get.
It’s just that easy, so I built it, implemented it, and loved it. And after a 6 - 8 hour sprint I was in a very happy place.
All testing on my Ubuntu 12.04 machine worked well.
Fantastic, I’ll push it out! Then I updated my laptop running 13.04 and found the program was broke.
The first issue was that you will have to wipe out your old config file, and I don’t mean just apt-get purge, I mean rm -rf ~/.lium/ and completely reinstall. As I no longer had “Username:” “Password: “ in the password file. (Yes putting that into the password file is dumb and I have no idea why I did this and why it took me a year to fix) the program had no way to remove that without overwriting the file which the program assumes is correct if it exists.
The fact that when people upgraded to the latest version of my software found it would no longer update was terrible and I found no way around it without hard coding it into the program to remove the password file and re-create it on first run which then caused a flow on effect.
I was tired of dealing with the issue and put it down to the fact that I call this software ‘alpha’ for a reason and based on my web server logs, has limited use, so I kept v0.5.5 up there, removed the folder, reinstalled and everything went well.
I don’t know what it was, but I felt the program was working a little too well, like I had finally hit a stable GUI that didn’t crash when updating or saving or (with the exception of the update bug) didn’t have any major issues at all. Then I tried running it on my Debian 7 virtualbox…
It installed surpringly well, opened fine, but when I tried to save my username and password it just sat there. So I ran it from the command line, and had it sitting there saying “Please set a new password for your keyring” … and then when I put in a password it crashes! @#()@()$)($#@)
It’s not my programs problem that a user hasn’t setup a keyring, that’s a gnome-keyring issue. But now it’s my problem, a big problem, it broke the entire god damn program. So anyone installing on a fresh Debian 7 won’t even get to save the username or password, my software is essentially 3 years worth of nothing.
As if that wasn’t bad enough, I then found there’s this issue:
Listing All Passwords Stored in Gnome Keyring
What’s the point of storing all the passwords encrypted when someone can make a simple script that can show them all.
So it’s back to the drawing board for another round of encrytion fun, when I figure something out I’ll release v0.5.6, I’ve reuploaded v0.5.4 and made a note on the download page, that’s all I can do in the mean time.