0

My application connects to many other application and so i need to store user names/passwords of other applications in my database.

I do not want to store them as plain text, but my application will need to send a plain text password for authentication to other.

Please suggest the best way to securely store the passwords.

Thanks.

user2818666
  • 185
  • 2
  • 2
  • 9
  • Honestly, if you really send (as in the literal meaning of "send", i.e. across a network) a plaintext password, you can as well store the plaintext password on disk. It's more likely to get sniffed while being sent over the network ten thousand times than being stolen from your local computer. In fact, it's pretty much _guaranteed_ to be sniffed. – Damon Oct 22 '13 at 13:28
  • it could be sent in 'plaintext' over an ssl channel, using digest auth, or some other method that requires plaintext as input but doesn't actually send the plaintext over the wire. – bloy Oct 22 '13 at 14:01
  • @bloy I'm using SSL :) – user2818666 Oct 22 '13 at 14:08
  • I tried to answer a similar question here [Encrypting user data for automatic login to third party system](http://stackoverflow.com/q/19674910/575765). – martinstoeckli Dec 12 '13 at 11:43

2 Answers2

0

Use a reversible encryption (AES, probably) on the sensitive data fields in the database, and have your app decrypt it every time it needs the value. You'll need to have the encryption key accessible to your application somehow, but that should probably be in a deployment-specific config file.

This will protect you if someone gets a dump of your database but not a dump of the filesystem where your app resides.

bloy
  • 251
  • 1
  • 2
0

It's rarely necessary, if ever, to use a reversible encryption strategy to store passwords. The reason for storing a password is so the user can prove their identity to you (for some value of "prove") at some point in the future, and that can generally be done with a one-way hash like MD5 or SHA1.

Using a one-way hash to store your passwords does protect your users against an intruder getting access to your system, since there is no key that will allow them to obtain the plaintext from the encrypted passwords.

Tim Pierce
  • 5,514
  • 1
  • 15
  • 31