Duplicacy Web: disable storing master passwort in keyring by default

Feature request / improvement:

At least in the macOS version, when starting Duplicacy Web, the checkbox to store the master password in the keyring is enabled by default.

I would advocate to change this behaviour to opt-in: I don’t think it’s a good practice for important passwords like a master password to be potentially stored in the cloud if a user is not attentive and hits enter too fast. If a user wants to store the master password, she can enable the checkbox at the next log in and after opting-in, the matter is settled, and users who don’t want to store the password do not have to watch out every time they start Duplicacy Web.

Or, alternatively, make the checkbox remember the state from the last login.

What do you think?

This is the best practice — to save passwords to the Keychain. That’s what Keychain exists for. And this is your local Keychain, not cloud. Furthermore, the Keychain is encrypted with your machine ID and your password. Even if you replicate it to iCloud — it’s still end-to-end encrypted. And lastly, only authorized applications — in this case, only duplicacy web — can get the item from the Keychain. Nobody else.

I would advocate for removing the checkbox altogether— it shall save stuff to Keychain unconditionally in my opinion. There is no benefit of not storing all credentials in keychain: any alternative provides weaker security.

If you don’t save key to the keychain two possibilities exist:

• your backups won’t run until you login , because cloud credentials are encrypted with master password.
• duplicacy will have to store cloud credentials some other way, in a less secure manner. Like it does on Linux when Keychain is not available, encrypted with machine UUID — which is not a secret at all.

For more information, and perhaps peace of mind — please have a look at this: Keychain data protection - Apple Support