473,245 Members | 1,434 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,245 software developers and data experts.

Secure password storage

I’m writing a web application that needs to keep passwords in a database.
These passwords are for third-party services and are different from the
regular login passwords.

I don’t like storing this sensitive info as plain text and one-way hashing
is not an option because I need the actual passwords. I’ve done some quick
research and it seems that symmetric encryption algorithms (blowfish, AES…)
provide a reasonable solution—I don’t need a 100% hacker-proof system but I
don’t want my security to be too dumb.

These encryption methods, of course, rely on secret keys. And that’s my
doubt: how do I keep these keys so the system is not too insecure? An
include file with a constant or variable must be world-readable if I want
to use if from a web site. If I use the regular login password as key (it’s
stored as an MD5 hash so it has to be typed every time), users will lose
all their passwords whenever they forget their login info.

I’d appreciate any tips or suggestions, as well as links where this
specific problem is discussed.
--
-+ http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
++ Mi sitio sobre programación web: http://bits.demogracia.com
+- Mi web de humor con rayos UVA: http://www.demogracia.com
--
Jul 3 '06 #1
4 4138

Alvaro G. Vicario wrote:
I'm writing a web application that needs to keep passwords in a database.
These passwords are for third-party services and are different from the
regular login passwords.

I don't like storing this sensitive info as plain text and one-way hashing
is not an option because I need the actual passwords. I've done some quick
research and it seems that symmetric encryption algorithms (blowfish, AES....)
provide a reasonable solution-I don't need a 100% hacker-proof system butI
don't want my security to be too dumb.

These encryption methods, of course, rely on secret keys. And that's my
doubt: how do I keep these keys so the system is not too insecure? An
include file with a constant or variable must be world-readable if I want
to use if from a web site. If I use the regular login password as key (it's
stored as an MD5 hash so it has to be typed every time), users will lose
all their passwords whenever they forget their login info.

I'd appreciate any tips or suggestions, as well as links where this
specific problem is discussed.
--
-+ http://alvaro.es - lvaro G. Vicario - Burgos, Spain
++ Mi sitio sobre programacin web: http://bits.demogracia.com
+- Mi web de humor con rayos UVA: http://www.demogracia.com
--
I'm probably the most educated person in this field, but if you just
store one key in a PHP file, it would be pretty hard to hack wouldn't
it? Don't put it in a database or anything, just include it where ever
you do your checking.

$key = 'aerg34aerg324eth'; // random

Since it's all done server-side no one would have access to it, unless
they got your FTP info.

And, better yet, add their username to it (not their password which
they might forget) and then run your blowfish algorithm on it.

For my passwords, I've been using md5($password.$key), but I guess
that's not an option for you, like you said, so do
blowfish($password.$username.$key); or something..

Jul 3 '06 #2
On Mon, 3 Jul 2006 19:05:55 +0200, "Alvaro G. Vicario"
<we*******@NOSPAMdemogracia.comwrote:
>Im writing a web application that needs to keep passwords in a database.
These passwords are for third-party services and are different from the
regular login passwords.

I dont like storing this sensitive info as plain text and one-way hashing
is not an option because I need the actual passwords. Ive done some quick
research and it seems that symmetric encryption algorithms (blowfish, AES)
provide a reasonable solutionI dont need a 100% hacker-proof system but I
dont want my security to be too dumb.

These encryption methods, of course, rely on secret keys. And thats my
doubt: how do I keep these keys so the system is not too insecure?
The first thing to ask is what do you trust?

Are you the administrator of the machine, and/or do you trust the person with
root, and are you the only user of the system? If all of the above, storing the
key on the machine _may_ be acceptable, but it still depends on the sensitivity
of the data.

If you don't explicitly trust the admin, then you can't store the keys on the
server for the reasons you state, because you can't keep a secret hidden in
that case.
>An include file with a constant or variable must be world-readable if I want
to use if from a web site.
Careful there - it needs to be web-server readable, which is not quite as
broad as world-readable - although in shared hosting it's practically the same.

There are ways to configure your webserver to run specific scripts under your
own user credentials instead of "nobody" or whatever generic user that they're
normally run as. This means that you would be able to access a file that is
readable by your user only, and inaccessible to other users.

To read the file, other users on the machine would have to break into your
account, either to read it directly, or to change the ownership on their own
scripts to run as you. This doesn't protect at all from abuse by root, but
works against other normal users.

Look up "suexec" and "cgiwrap". Since these generally run as CGI instead of
module you lose some performance, but you can localise the impact to just the
scripts that need it.
>If I use the regular login password as key (its
stored as an MD5 hash so it has to be typed every time), users will lose
all their passwords whenever they forget their login info.
Is that necessarily a bad thing?

If it is, I wonder if there's an approach you could use where the data is
encrypted against _two_ secret keys; the user's own login credentials, and an
administrator key that only you know, and don't store on the machine.

That way, if a user loses their password, you can do a password reset, decrypt
their data using your admin key, and re-encrypt it using their new password.

--
Andy Hassall :: an**@andyh.co.uk :: http://www.andyh.co.uk
http://www.andyhsoftware.co.uk/space :: disk and FTP usage analysis tool
Jul 3 '06 #3
Mark wrote:
>
Alvaro G. Vicario wrote:
>I'm writing a web application that needs to keep passwords in a database.
These passwords are for third-party services and are different from the
regular login passwords.

I'm probably the most educated person in this field, but if you just
store one key in a PHP file, it would be pretty hard to hack wouldn't
it? Don't put it in a database or anything, just include it where ever
you do your checking.

$key = 'aerg34aerg324eth'; // random
A solution is either secure by design or its insecure. That suggestion is
insecure.

better solutions (?):

1) keep all the passwords in a file encrypted with a master key. Don't keep
the key on the server - ask the user to supply it. Note that you'll
probably end up storing it in cleartext in a session which is nearly as bad
as keeping it in a PHP file though, and it's not very handy when you want
to share the passwords.

2) use shared secret encryption. While this will allow you to have multiple
users securely accessing the password (use a quorum of 2 and keep one
password on the server unencrypted, and one encrypted with the users
password) it doesn't scale well and is difficult to manage. Still have
session isolation problem.

3) use assymetric encryption to distribute the password to the users (stored
on the server) - each users copy is encrypted using their public key. User
needs to provide their passphrase to decrypt using their public key on the
server. This is very secure and scales well. Still doesn't solve the
session isolation problem though.

There are ways to solve the session isolation problem...but you've probably
got enough to think about.

C.
Jul 3 '06 #4
On Mon, 3 Jul 2006 19:05:55 +0200, in comp.lang.php "Alvaro G.
Vicario" <we*******@NOSPAMdemogracia.com>
<3d*****************************@40tude.netwrote :
>| Im writing a web application that needs to keep passwords in a database.
| These passwords are for third-party services and are different from the
| regular login passwords.
|
| I dont like storing this sensitive info as plain text and one-way hashing
| is not an option because I need the actual passwords. Ive done some quick
| research and it seems that symmetric encryption algorithms (blowfish, AES)
| provide a reasonable solutionI dont need a 100% hacker-proof system but I
| dont want my security to be too dumb.
You don't mention what database you are using but if you are using
mySQL 5.x then your half way there (but any database that allows VIEWS
will suffice).

What I have done is created 2 Views.
One to retrieve the decrypted password.
One to update/change the user details that also encrypts the password.

The 'get' view looks similar to:
VIEW vw_get_user_details AS
SELECT ID,UName,AES_DECRYPT(Pword,'<36 character encrypt string>') AS
pword from usersInfo;

In php all you will see when validating a user is:
SELECT * FROM vw_get_user_details WHERE Uname='$txtUname' AND
Pword='$txtPWord'";

The $txtUname and $txtPword have been 'escaped' to prevent SQL
injection.

Alternatively you could use .htaccess file if your host allows it.
---------------------------------------------------------------
jn******@yourpantsyahoo.com.au : Remove your pants to reply
---------------------------------------------------------------
Jul 4 '06 #5

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

6
by: Sarah Tanembaum | last post by:
I was wondering if it is possible to create a secure database system using RDBMS(MySQL, Oracle, SQL*Server, PostgreSQL etc) and web scripting/programming language(Perl, PHP, Ruby, Java, ASP, etc)...
5
by: Max | last post by:
I have a collection of system admin scripts (on Win 2k) that I would like to automate the execution of. However, some of them require the use of logins with admin rights, and would therefore prefer...
7
by: Norm | last post by:
Hi All, I have an MDB file which I want to remain secure. It checks for certain parameters upon startup, and will automatically exit if the program is opened/executed by an unauthorized user. ...
9
by: jensendarren | last post by:
I just made a .NET Windows Application which uses MS Access as a backend. Is there a way to deploy the mdb file so that it does not appear as an Access db to the end user and still be accessable to...
26
by: David Garamond | last post by:
I read that the password hash in pg_shadow is salted with username. Is this still the case? If so, since probably 99% of all PostgreSQL has "postgres" as the superuser name, wouldn't it be better...
5
by: Joe | last post by:
I have an application which runs in a non-secure environment. I also have an application that runs in a secure environment (both on the same machine). Is there any way to share the session data for...
8
by: Harris Kosmidhs | last post by:
Hello, while I'm developing sites for some time I never coded a login form with security in mind. I was wondering what guidelines there are. For my point of view I'm thinking of using md5...
5
topher23
by: topher23 | last post by:
I've seen a lot of questions about how to make secure database passwords. I'm going to go over a method of encrypting a password using the MD5 encryption algorithm for maximum security. First,...
0
by: stefan129 | last post by:
Hey forum members, I'm exploring options for SSL certificates for multiple domains. Has anyone had experience with multi-domain SSL certificates? Any recommendations on reliable providers or specific...
0
Git
by: egorbl4 | last post by:
Скачал я git, хотел начать настройку, а там вылезло вот это Что это? Что мне с этим делать? ...
0
by: MeoLessi9 | last post by:
I have VirtualBox installed on Windows 11 and now I would like to install Kali on a virtual machine. However, on the official website, I see two options: "Installer images" and "Virtual machines"....
0
by: DolphinDB | last post by:
The formulas of 101 quantitative trading alphas used by WorldQuant were presented in the paper 101 Formulaic Alphas. However, some formulas are complex, leading to challenges in calculation. Take...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, youll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: Aftab Ahmad | last post by:
Hello Experts! I have written a code in MS Access for a cmd called "WhatsApp Message" to open WhatsApp using that very code but the problem is that it gives a popup message everytime I clicked on...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.