Lets assume the following scenario I am writing an application where you can log in and then provide login details to another system ie your email account, FTP account etc The application then reuses those login details later when it tries to log into those services to perform a certain task. Those tasks are performed in the background via a cron script and the user does not want to have to log in every time to provide the login details to those services. This means I need to store the login details in a secure way. But how? I would prefer to store them in the database but for obvious reasons they can't be plain text. So how can I store them safely? Thanks
What you're thinking of is a persistent session. It has nothing to do with storing the login. They login ONE time. Your script creates a cookie with an ID that is used as a key in your database to look up the account information. It's not validating the credentials again. You are simply using the session ID as a key to their account information. I would recommend using a library or at least a well thought out pattern before rolling your own implementation of this scheme.
How are other systems doing this sort of thing. Like how would Zapier do this if you give them lets say and email address and password to check an email account. Surely they need to store it somehow so they can reuse the login details at a later time.
You cant use password hashes as you would need to fetch password to perform email/ftp activity. Hashes are useful for logins only. Use AES256 encryption, with key input from command line on startup. This will be stored in memory, which can also be fetched off memory. Attacker would have to gain access to root/admin level to read off memory. The problem with this, is that every time server reboots, you need to key in to start your app. Most vendors would simply use encryption with iv key stored somewhere.
You need to encrypt password using a encryption function, then decrypt using another before sending it to FTP/email etc. Check this https://www.php.net/manual/en/book.mcrypt.php
Why on earth would you decrypt a password to send it to someone in plaintext via email?? That's horrible advice. The password stays in your database encrypted. If someone does not remember their password then you develop logic to reset the password by replacing the encrypted stored password with a new encrypted stored password. That's not even really the topic. The original poster is confused with thinking there has to be a plaintext exchange of passwords from one system to another. He/She most likely will be using a method to create a persistent session across platforms via some sort of session/transaction ID and cookie.
@NetStar I don't think you understood the question, or my reply. He is not sending passwords via email to users. He is "using" those stored passwords to perform tasks using cron jobs. Automated work. FTP service, email service, etc are different services which his code will access using the passwords provided by user. He doesn't wants the user to type password again and again, so he wants to store it in a database. He knows that storing password in plain text is not safe, so he asked how can he "store" the password safely, retrieve it later and "use" it. How else will you do it without encrypting the password before "storing", and then decrypting database retrieved password before "using" it?