Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I securely store passwords to a 3rd party webservice in my database?

I need to store a 3rd-party password in our configuration database, so the user can save their login information for a web service that can be accessed through our server.

I need to pass the password to the web service, so I can't just hash the password and store the hash. I need to be able to get to the actual password for sending to the service.

For security reasons, I'd like to encrypt the password that we're storing in the database. Everything I look up regarding encrypting passwords seems to say "hash it, don't encrypt it!" but I don't think that applies in this case.

I am wondering if it's better to handle the encryption/decryption in the VB.NET code or use SQL Server to accomplish it (from what I see here, it's at least possible to do it in SQL, but I'm not sure if that makes sense. I need to research that more to find out what the deployment issues would be like).

like image 476
fussmonkey Avatar asked Aug 28 '12 13:08

fussmonkey


People also ask

Is it safe to store passwords in database?

Storing plain text passwords in the database is a sin. Encryption functions provide one-one mapping between input and output and they are always reversible. If the hacker gets the key, he will be able to decrypt the passwords. The better way would be to use a one way cryptographic hash function.

What practices best to store passwords in a database?

Hash all passwordsAlways create a hash from them and store the hash instead. In password storage, hashing is superior to encryption since a hash can't be reversed. If a user attempts to log in, you can recreate the hash from the password they entered and check if the new hash matches the one you saved at sign up.

What are the techniques are used for storing password securely?

Hashing and encryption both provide ways to keep sensitive data safe. However, in almost all circumstances, passwords should be hashed, NOT encrypted. Hashing is a one-way function (i.e., it is impossible to "decrypt" a hash and obtain the original plaintext value).

Which is the least secure way for a server to store passwords?

Storing passwords in plaintext. This may sound silly but there are websites that do store the user's passwords in plaintext without any kind of encryption. For sure this is the worst practice. There are a lot of big corporations that still use this naive approach.


2 Answers

Generally speaking it is better to hash passwords that's true, but in your case that seems to not be possible. I would definitely not recommend encrypting with a symmetric key on the SQL server itself, the reason being is that if your SQL server is compromised then your encryption is also compromised (because the key will be on that same server).

One thing I would recommend is that you use a temporary store somewhere, this could be something like in the session. However be careful of both using sessions and cookies because you can become vulnerable to CSRF attacks and session/cookie hijacking attacks. One thing you can do is have the user enter the password, then encrypt and store it in their cookie, attaching their client IP in the cookie and then adding a timestamp for expiration at the beginning (this will also make the avalanche effect more effective as you are changing the bits in the beginning of your plaintext). Require that for a request to the web service to be made that they attach some CSRF token that is rendered on the client side and that it is a POST not a get, finally validate the client IP and that the timestamp is not older than x minutes/hrs (depending on how paranoid you want to be).

If the users cookie is stolen then they will not be able to make the request because it is specific to their client IP (unless they spoof the users IP but at that point you realize this attacker is not that smart since I'm sure there are other easier attack vectors that will give them a bigger payload). If the user is able to somehow spoof the IP they will not be able to use it for long because the timeout will make the cookie void. And If the user is smart enough to break your encryption algorithm well... then you pretty much had no chance in the first place.

like image 87
nerdybeardo Avatar answered Oct 09 '22 07:10

nerdybeardo


I agree with George Stocker. If you can use existent protocol - go with it (it will reduce amount of possible issues and security vulnerabilities tenfold).

Just in the case, if you are out of options (can't use any protocol). If you need to access 3rd party webserver only when a user does something on your server, I would recommend following:

  • Don't store passwords in your DB

  • Create a cookie with a password to 3rd party service and encrypt with some secret key. Send this cookie back to a user.

  • As soon as the user returns to your website, you will get cookies, decrypt it, get a password from cookie and use it to access 3rd party webservice.

So, in the case, if somebody will hack your server and will copy the database, they won't have passwords to 3rd party webservices. In the case, if somebody will hack users computers, all cookies are encrypted, so they won't be able to do anything with them.

The only security weakness of this, if somebody will be able to inject some code into your server and will capture passwords from active users sessions.

like image 27
Victor Ronin Avatar answered Oct 09 '22 05:10

Victor Ronin