QGIS » QGIS Application

You don't need to save username/passwords. If you do they'll be unencrypted (and you are warned about that), if you don't QGIS prompts for credentials, when it needs them.

Fair point. But then I'd have to share the database password with the users which is very sub-optimal for a whole raft of reasons. I have no issue with storing the password if required (as it will be for us), but it should definitely be encrypted.

The AES encrypted password (In the project file) + the encryption password (which will have to be given to the users, so they can tell it to QGIS which then can decrypt the password and send it to the DB for login) + an optional salt (which QGIS also has to know) will give a user everything he needs to know, in order to decrypt the original password again. With the difference to the current solution, that 98% of the users won't notice and won't worry, that it would be easy for the other 2% (under them possible attackers) to decrypt the PW.
Disclaimer: At least that's the way I understand this (as a non-crypto expert). If there's a misunderstanding from my side, please let me know.

I'd rather implement a proper user role setup in your database (with readonly for some users) with firewall (maybe VPN).

Concerning QGIS: Instead of encrypting keys and store them in the qgs file, a central key storage system may be better suited (some platforms have already built-in things e.g. gnome-keyring)
The user will then have his personal password to get access to the keystore. The first time the user connects to the database, you will have to tell him the database password which will then be encrypted on his machine (with his personal password) and stored there, so he doesn't have to memorize it or note it down.

Matthias Kuhn wrote:

The AES encrypted password (In the project file) + the encryption password (which will have to be given to the users, so they can tell it to QGIS which then can decrypt the password and send it to the DB for login) + an optional salt (which QGIS also has to know) will give a user everything he needs to know, in order to decrypt the original password again.

Yes, it's basically like DRM - it's impossible to actually secure it because you need the keys to unlock it with the stuff you want to lock. But unlike DRM I think some sort of security is still better than nothing. :-)

I'd rather implement a proper user role setup in your database (with readonly for some users) with firewall (maybe VPN).

We do both and probably more, but it is still like best practice to keep passwords encrypted. At least this way if/when someone posts a project online the passwords aren't open for the world to see. Not all users abide by security best practices; most probably even aren't aware of these issues.

Concerning QGIS: Instead of encrypting keys and store them in the qgs file, a central key storage system may be better suited (some platforms have already built-in things e.g. gnome-keyring)
The user will then have his personal password to get access to the keystore. The first time the user connects to the database, you will have to tell him the database password which will then be encrypted on his machine (with his personal password) and stored there, so he doesn't have to memorize it or note it down.

This is the sort of solution I was thinking of based on your reply. Seems like one promising direction.