I'm writing a small utility in AutoIt that connects to Twitter. I would like to store the username and password in the programs setting file, but I know that it needs to be encrypted obviously. Previously when I've done this for personal use I've just adopted an iniformat – written to a temporary file and then encrypted it using a rediculously long password and 256 bit AES encryption, just calling the file "settings.eini".
However, I'm going to be offering this utility to the public. I don't expect a large amount of people to use it or for it to become a target, but I thought that it's best not to take chances. I've been reading about creating custom file extensions and it seems like something I want to avoid for now, so is there a standard/acceptable way of doing this?
Best Answer
Encryption is only as good as the means to decrypt it. While it keeps out most people, anyone with reasonable knowledge of encryption could reverse engineer the username and password. So logically, the solution is to make it difficult to reverse engineer. The best mentality to adopt when trying to achieve this is assuming that someone wanting to crack your program knows everything that you know, how do you make it difficult to decrypt even then?
One solution that I've found is by drawing from some information that's unique to that computer like, say, the hard disk serial number. Using that as a key, you can encrypt and decrypt the username and password and so long as your source code is protected and your program is obfuscated, nobody would be the wiser. It only has the minor downside that it can't decrypt these values if the folder is copied to another computer (hence a different hard disk serial number).
Another approach is to make a formal https request to a server which provides a key that is used to encrypt and decrypt, making it impossible to decrypt by using the key, since the key is not saved locally. It has the drawback that it requires the computer to be online, but since it has to access twitter anyway, I'd say that drawback doesn't apply to you. It also doubles as a way for you to authenticate usage of your program by proving that the license used for that program isn't used under a different IP. This is becoming an increasingly popular approach since the number of computers that work offline are always fewer and fewer.