I have a device application that needs a password to access some of it's menus and this password is editable through that menus (not for the client, just for us, developers). Now that I want to deliver device to my client I am thinking about how to define users and grant privileges and where to store that password.
I'm thinking about creating a user account for my client on pi and putting app files in that in order to grant privileges to my client to run the app and access some files that the app creates.
Also I'm thinking about putting password in a txt file for root account so that my client can't access it. But that way the app won't be able to access that password file or edit it either (because it's run by client).
So how do I go with this?
-
davidcoton
- Posts: 5026
- Joined: Mon Sep 01, 2014 2:37 pm
- Location: Cambridge, UK
- Contact: Website
Re: Where to store an app password
Encrypt the password (something fairly simple and easily reversible, or a "trapdoor" function which stores an irreversible result of encrypting the password) -- then, as long as you are just "keeping honest people honest", it doesn't matter much where you put it. I have used a fully visible XML file to store program data, with a "Crypt" key to store an ASCII representation of the encrypted password.
Signature retired
Re: Where to store an app password
Is there a reason why you can't hash the password with PBKDF2 or scrypt and store/compare to the hash instead ?
That way , no plaintext password exists which could be leaked. Secondly , an attacker would have to use brute force
and that would be extremely slow / extremely expensive for him.
ghans
That way , no plaintext password exists which could be leaked. Secondly , an attacker would have to use brute force
and that would be extremely slow / extremely expensive for him.
ghans
• Don't like the board ? Missing features ? Change to the prosilver theme ! You can find it in your settings.
• Don't like to search the forum BEFORE posting 'cos it's useless ? Try googling : yoursearchtermshere site:raspberrypi.org
• Don't like to search the forum BEFORE posting 'cos it's useless ? Try googling : yoursearchtermshere site:raspberrypi.org
Re: Where to store an app password
Unfortunately I'm unfamiliar with the way of hashing or encryption. Would you please give more details or some links to help? BTW, I'm developing with C++.ghans wrote:Is there a reason why you can't hash the password with PBKDF2 or scrypt and store/compare to the hash instead ?
That way , no plaintext password exists which could be leaked. Secondly , an attacker would have to use brute force
and that would be extremely slow / extremely expensive for him.
ghans
Re: Where to store an app password
The high level overview is as follows:
You get the password. You hash the password. You compare the current hash with the stored hash. If they are the same , the user must have entered the correct password.
The user gets access to admin mode (or the nuclear missile launch control panel , i don't know what you are planning to do
).
https://github.com/technion/libscrypt
ghans
You get the password. You hash the password. You compare the current hash with the stored hash. If they are the same , the user must have entered the correct password.
The user gets access to admin mode (or the nuclear missile launch control panel , i don't know what you are planning to do
).https://github.com/technion/libscrypt
ghans
• Don't like the board ? Missing features ? Change to the prosilver theme ! You can find it in your settings.
• Don't like to search the forum BEFORE posting 'cos it's useless ? Try googling : yoursearchtermshere site:raspberrypi.org
• Don't like to search the forum BEFORE posting 'cos it's useless ? Try googling : yoursearchtermshere site:raspberrypi.org
Re: Where to store an app password
Actually I'm planning to send a rocket!ghans wrote:I don't know what you are planning to do
And that is the password you need to enter after pushing the big red button! 