[Security] Storing password as plain text

[PawlikMichal25]

I just realised that the library is saving ParseUser data on most of successful user operations, which might seem handy, but the problem is that it is stored as plain text, including password, which is definitely a security issue.

I believe we should change library's behaviour here or at least make it more clear that the library is storing user passwords as plain text.
What do you think?

Or am I missing something? I know that encryption can be turned on in CoreStore library, but right now that would be suboptimal solution, because all data would be automatically encrypted.

[RodrigoSMarques]

Hi @BaranMichal25

Using Sembast, encryption is enabled by default, and you can enter an encryption password.

     ...
      coreStore: await CoreStoreSembastImp.getInstance(password: 'password'),
     ...

[PawlikMichal25]

Yes, but then all data will be encrypted, right?
In which case, also loading all other classes and their data will be needlessly slow

[RodrigoSMarques]

Yes, all data will be encrypted.

Is it really slow? How much data will you store locally?
Sembast is a pure dart database and very fast in performance tests.

[fischerscode]

CoreStoreSembastImp is always encrypted (except on web), the password has a default value.

I think, the password should not be stored in any database neither in clear text, nor encrypted. Only storing a hashed password is acceptable.

When inspecting my saved user object (ParseUser.currentUser()), it indeed still contains the password.

I have three solutions to solve this problem:

1. provide the password when calling login()
2. storing the password in a field (instead of _objectData) (should be the easiest to implement)
3. removing the password at the saveInStorage call

I think the second one is the best. I will create a branch to test this change, soon.

[fischerscode]

I have implemented option two in this branch.
Testing is highly appreciated as I do not know which side effects this change has.
In a short test, everything seems to work as expected.

[fischerscode]

I have implemented option two in this branch.

I tested this change in my project and I didn't encounter any problems.

[fischerscode]

Option 2 was merged with #446 into release/1.0.28.

[PawlikMichal25]

Nice, thanks for taking care of it :)

[PawlikMichal25]

Actually, can you please explain how this works?
I would think that password is part of objectData, so we're still storing it in the database? Or is it hashed at this point?