Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

PHP - Storing password for external service securely?

Tags:

security

database

php

passwords

mysql

I'm currently planning the development of a PHP application that shall require user passwords for external services to be stored so that they can be logged into simultaneously when the user logs into my application.

I shall need to store passwords in a secure, i.e. not plain text, and not base64 encoded but that shall also need to be accessible as plain text by the application, one way or another.

I've only been able to think of something like the following:

When a user adds their credentials for the external service to their account, they re-enter their password for my application and that (in an encrypted form) is used to 'encrypt' the password for the external service somehow, but in a way that makes it accessible still.

Does anyone have any thoughts on if this is possible, or a potential solution?

Thanks

Also: it's worth noting that it will be an SSL connection that the data is sent over.

Out of curiosity: Say for example; Google Mail, you can add email accounts to your Google Mail account so that all of them are checked. Does anyone have any thoughts on how Google store the passwords for the accounts you add?

like image 667
Seer Avatar asked Nov 21 '12 16:11

Seer

3 Answers

The problem with this in general, is if your system is every compromised, the attacker can get all the passwords for all the systems, because they are encrypted and not hashed. There is no way around this, since you want to be able to get the plain-text passwords.

If you must do this, you can use something well trusted like OpenSSL to encrypt the passwords.

like image 117
Oleksi Avatar answered Sep 25 '22 20:09

Oleksi

From a securities stand point, you really should never store a password anywhere. I would have the user enter their password md5 their password and store that. So when he authenticates its authenticated vs the md5. As for the externals. You could take the external password and XOR the external password with the stored md5. That way you could undo it to pass it to the external source. Or the better way would be to ask for the password every time for the externals. This is a choice of risk vs convenience.

like image 32
user1836293 Avatar answered Sep 22 '22 20:09

user1836293

Well, you may encrypt the passwords by user's own password (not storing it anywhere), and just ask for it every time the communication is being made, this way the passwords are probably safe.

like image 40
nothrow Avatar answered Sep 22 '22 20:09

nothrow
Sign in to Comment

Related questions

Prepared mysqli select statement on longtext field is coming back empty
What is the difference between the two types of class constructors in PHP?
Ensure fgetcsv() reads the entire line
Countable objects and empty
Saving wordpress settings api options with ajax,
Access SkyDrive using PHP and OAuth
How can I get the auto incrementing field name or the primary key fieldname from a mysql table?
How can I change the landing page of Mediawiki 1.19.1 to directly go to Special:UserLogin
Can $_SERVER['SERVER_NAME'] be forged/faked?
exec - PHP return_val is 126
Show array without index key
How to add custom field to order in Magento?
PHP MySQL connection persistence
Unable to run .html files on nginx+php-fpm
Regex to escape double quotes inside double quotes with preg_replace
Mysql cannot connect - Access denied (using password yes)
Converting html to pdf with Arabic
How to print multidimensional arrays in php [duplicate]
PHP MYSQL Blog Archive Menu by Year and Month
How to pass variable from block to phtml in magento

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!