All geek questions in one place

PHP - Secure password storage for an external service?

I am currently planning to develop a PHP application that requires user passwords for external services to be stored so that they can be logged in simultaneously when a user logs into my application.

I will need to store passwords in protected, that is, not in plain text, and not in base64 encoding, but this should also be available as plain text by the application, one way or another.

I could only think of something like the following:

When a user adds their credentials for an external service to their account, they re-enter their password for my application and that (in encrypted form) is used to "encrypt" the password for the external service in some way, but in a way that makes it affordable still.

Does anyone have any thoughts, if possible, or a potential solution?

thanks

Also : it is worth noting that this will be an SSL connection in which data is transmitted.

Out of curiosity : say, for example; Google Mail, you can add email accounts to your Google Mail account so that they are all verified. Anyone have any thoughts on how Google stores passwords for the accounts you add?

+4
source share
7 answers

The problem with this in the general case is that your system is compromised, an attacker can get all the passwords for all systems, because they are encrypted and not hashed. There is no way around this, since you want to get plaintext passwords.

If you must do this, you can use something that you can trust as OpenSSL to encrypt passwords.

+5
source

In terms of securities, you should never store a password anywhere. I would like the user to enter their md5 password in their password and save it. Therefore, when it authenticates its authentication against md5. As for the external ones. You can take external password and XOR external password with md5 saved. That way you can undo it to pass it to an external source. Or the best way would be to request a password for external users each time. It is a choice of risk and convenience.

+2
source

Well, you can encrypt passwords with your own password (don't store it anywhere) and just request it every time a message occurs, so the passwords are probably safe.

+1
source

GAH ... I would like everyone to simply standardize keys:

<?php $connection = ssh2_connect('shell.example.com', 22, array('hostkey'=>'ssh-rsa')); $sth = $dbh->prepare('select keyLoc from auth where username = :user'); $sth->bind_param('user', 'username'); $key = $sth->fetch(PDO::FETCH_ASSOC); if (ssh2_auth_pubkey_file($connection, 'username', $key, '/home/username/.ssh/id_rsa', 'secret')) { echo "Public Key Authentication Successful\n"; } else { die('Public Key Authentication Failed'); } ?>

It would make life easier. Just copy your public key everywhere and save your private key.

+1
source

Instead, you should use Oauth - more secure, and also much more user-friendly when it is implemented correctly.

Zend oauht customer

+1
source

You can use php mcrypt, see related question here . Or, if you prefer to encrypt / decrypt the server side, mySQL has an AES encryption function.

0
source

You can use something like PKIF (specifically PKIFCRYPTO ) and NSS or MS-CAPI . This is not for the faint of heart, but you will want to demonstrate a certain degree of competence to users who choose to trust you with their credentials.

0
source

Source: https://habr.com/ru/post/1447540/

More articles:


All Articles