1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

How to store passwords and be able to reuse them later

Discussion in 'PHP' started by stephan2307, Oct 8, 2019.

  1. #1
    Lets assume the following scenario
    SEMrush
    I am writing an application where you can log in and then provide login details to another system ie your email account, FTP account etc
    The application then reuses those login details later when it tries to log into those services to perform a certain task. Those tasks are performed in the background via a cron script and the user does not want to have to log in every time to provide the login details to those services.
    This means I need to store the login details in a secure way. But how? I would prefer to store them in the database but for obvious reasons they can't be plain text. So how can I store them safely?

    Thanks
     
    stephan2307, Oct 8, 2019 IP
    SEMrush
  2. mmerlinn

    mmerlinn Notable Member

    Messages:
    2,264
    Likes Received:
    287
    Best Answers:
    6
    Trophy Points:
    290
    #2
    NEVER store passwords EVER, not even encrypted. Always store a hash of the passwords.
     
    mmerlinn, Oct 8, 2019 IP
    SpacePhoenix likes this.
  3. NetStar

    NetStar Notable Member

    Messages:
    2,290
    Likes Received:
    472
    Best Answers:
    21
    Trophy Points:
    215
    #3
    What you're thinking of is a persistent session. It has nothing to do with storing the login. They login ONE time. Your script creates a cookie with an ID that is used as a key in your database to look up the account information. It's not validating the credentials again. You are simply using the session ID as a key to their account information.

    I would recommend using a library or at least a well thought out pattern before rolling your own implementation of this scheme.
     
    NetStar, Oct 13, 2019 at 9:17 PM IP
  4. stephan2307

    stephan2307 Well-Known Member

    Messages:
    1,246
    Likes Received:
    23
    Best Answers:
    7
    Trophy Points:
    140
    #4
    How are other systems doing this sort of thing. Like how would Zapier do this if you give them lets say and email address and password to check an email account. Surely they need to store it somehow so they can reuse the login details at a later time.
     
    stephan2307, Oct 15, 2019 at 6:33 AM IP
  5. bountysite

    bountysite Member Premium Member

    Messages:
    43
    Likes Received:
    1
    Best Answers:
    1
    Trophy Points:
    43
    #5
    You cant use password hashes as you would need to fetch password to perform email/ftp activity. Hashes are useful for logins only.
    Use AES256 encryption, with key input from command line on startup. This will be stored in memory, which can also be fetched off memory. Attacker would have to gain access to root/admin level to read off memory.
    The problem with this, is that every time server reboots, you need to key in to start your app.

    Most vendors would simply use encryption with iv key stored somewhere.
     
    bountysite, Oct 15, 2019 at 8:18 AM IP