Tidying up password storage in Amarok

Andrzej J. R. Hunt andrzej at ahunt.org
Wed Apr 11 20:21:25 UTC 2012 

On 10/04/12 20:16, Matěj Laitl wrote:
> On 10. 4. 2012 Stefan Derkits wrote:
>>> Hmm, I may want to allow storing last.fm password in plain-text
>>> while disabling to store MySQL pass in plain-text. The confirmation
>>> should be probably per-plugin then.
>> that sounds a little bit not so user-friendly (having to confirm
>> secure storage for every plugin).
>> I would suggest to always take the most secure storage available,
>> without any config options or per plugin options.
>> If I have a secure password store like KWallet why would I want to
>> save any password in plain text?
> I didn't express myself correctly, for sure KWallet should be used by default
> without asking. I wanted to say that if KWallet isn't available, I may want to
> be asked for each password separately to store it in plain-text or not at all.
> (because some of them may be more valuable)
I've just been looking at the way all the plugins use their passwords. 
It seems a redesign would be needed to allow password entry manually: 
currently the plugins stay disabled until a password is stored, once one 
is stored, they use this every startup to authenticate with their 
service. If you want to be able to have the user asked for login details 
every startup you would need to change the plugins to repeatedly ask for 
passwords until they can login (e.g. in case there is a typo in the 
password etc.), rather than just having them ask for a password once 
(since they assume the passwords are stored correctly), and then fail 
silently when the password doesn't work (this at least is the case for 
LastFM).

Therefore I think it's probably better to work on the assumption that 
all passwords are stored on disk -- I wouldn't think it too unreasonable 
to expect those, who want a specific password not to be in plaintext, to 
go to the bother of setting up KWallet (or whatever other backends are 
added) correctly?

Incidentally the MySQL configuration interface is implemented using 
KConfigXT (an xml file which is translated to c++, which then writes to 
plaintext, if I've understood it correctly), i.e. the settings aren't 
stored in KWallet. I'll look into whether that can be changed when I'm 
migrating the plugins to use PasswordManager.

More information about the Amarok-devel mailing list