Storing Server Password

.MacOS. App used SFTP to manage (maybe several) servers. I set these up in a CoreData object at the application level. I had been storing each password along with ID and path info, using bindings from a NSSecureTextField for pw. That no longer works and the password is no longer stored. A standard NSTextField does work. So it is obvious that something has changed, and they apparently don't like the vulneravility and are enforcing something new here when you use a NSSecureTextField. So I need to use keyChain? How do I go about doing this and retreive the password in my SFTP code when accessing the server?

Up vote post of applegg Down vote post of applegg
775 views
Posted by
applegg
Reply
Add a Comment

Replies

they apparently don't like the vulneravility and are enforcing something new here when you use a 

NSSecureTextField
.

I think that’s very unlikely. Bindings do not, in general, do any sort of security evaluation. I’m not sure what’s going on here but I suspect it’s just a run-of-the-mill bug, either in your code or in the system.

Having said that, storing passwords in plaintext is a very bad idea, so changing your code to store these passwords in the keychain is the right idea regardless. To that end, you wrote:

How do I go about doing this and retreive the password in my SFTP code when accessing the server?

My recommendation is that you start with the various articles (Using the Keychain to Manage User Secrets, Adding a Password to the Keychain, and Searching for Keychain Items) on this page.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Thanks. I will try to learn more about using keychain. However, this increaisngly looking like a system bug. This code worked just fine until the new system. While i agree it would be better to not use clear text, the issue is that you first have to get it into the computer. That's what a human interface is for. Currently, all the entry fileds are all bound to fields in the same object, a selection in an array. It works as long as I don't use a NSSecureTextField for entry. I suppose the the procedure should be to have the pw setter store it in keychain, and then, when use by our SFTP code, let the getter access it from keychain. But, until I can first get the pw in hand, nothing can be done.


On secod thought, It really doesn't make sense to access keyvhain that frequently. Every action with the server (e.g., upload, download, directory, etc.) requires the pw. Seems to make more sense to access it only the first time needed. Is it really necessary to use keychain for info stored in CoreData?

Posted by
applegg
Up vote reply of applegg Down vote reply of applegg
Add a Comment

It really doesn't make sense to access keyvhain that frequently.

The keychain is there to protect data at rest [1]. If you need to cache a password in memory so you can reuse it over and over again over the lifetime of a connection, that’s fine. However, storing a password in a plaintext file, like a CoreData database, is considered bad form.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"

[1] At least for passwords. For private keys, the keychain allows for the key material to be retained by the security daemon and thus never make it into your process. That’s cool, be it’s irrelevant to this setup.

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment