1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

How to store passwords and be able to reuse them later

Discussion in 'PHP' started by stephan2307, Oct 8, 2019.

  1. #1
    Lets assume the following scenario

    I am writing an application where you can log in and then provide login details to another system ie your email account, FTP account etc
    The application then reuses those login details later when it tries to log into those services to perform a certain task. Those tasks are performed in the background via a cron script and the user does not want to have to log in every time to provide the login details to those services.
    This means I need to store the login details in a secure way. But how? I would prefer to store them in the database but for obvious reasons they can't be plain text. So how can I store them safely?

    Thanks
    SEMrush
     
    stephan2307, Oct 8, 2019 IP
    SEMrush
  2. mmerlinn

    mmerlinn Notable Member

    Messages:
    2,415
    Likes Received:
    353
    Best Answers:
    6
    Trophy Points:
    290
    #2
    NEVER store passwords EVER, not even encrypted. Always store a hash of the passwords.
     
    mmerlinn, Oct 8, 2019 IP
    SpacePhoenix likes this.
  3. NetStar

    NetStar Notable Member

    Messages:
    2,362
    Likes Received:
    501
    Best Answers:
    21
    Trophy Points:
    245
    #3
    What you're thinking of is a persistent session. It has nothing to do with storing the login. They login ONE time. Your script creates a cookie with an ID that is used as a key in your database to look up the account information. It's not validating the credentials again. You are simply using the session ID as a key to their account information.

    I would recommend using a library or at least a well thought out pattern before rolling your own implementation of this scheme.
     
    NetStar, Oct 13, 2019 IP
  4. stephan2307

    stephan2307 Well-Known Member

    Messages:
    1,261
    Likes Received:
    29
    Best Answers:
    7
    Trophy Points:
    150
    #4
    How are other systems doing this sort of thing. Like how would Zapier do this if you give them lets say and email address and password to check an email account. Surely they need to store it somehow so they can reuse the login details at a later time.
     
    stephan2307, Oct 15, 2019 IP
  5. bountysite

    bountysite Active Member

    Messages:
    71
    Likes Received:
    4
    Best Answers:
    1
    Trophy Points:
    73
    #5
    You cant use password hashes as you would need to fetch password to perform email/ftp activity. Hashes are useful for logins only.
    Use AES256 encryption, with key input from command line on startup. This will be stored in memory, which can also be fetched off memory. Attacker would have to gain access to root/admin level to read off memory.
    The problem with this, is that every time server reboots, you need to key in to start your app.

    Most vendors would simply use encryption with iv key stored somewhere.
     
    bountysite, Oct 15, 2019 IP
    deathshadow likes this.
  6. sbenjamin81

    sbenjamin81 Peon

    Messages:
    7
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    1
    #6
    Create an API like using soap and rest.. That way you're using tokens.
     
    sbenjamin81, Oct 24, 2019 IP
  7. stephan2307

    stephan2307 Well-Known Member

    Messages:
    1,261
    Likes Received:
    29
    Best Answers:
    7
    Trophy Points:
    150
    #7
    Thanks but I think you are missing the point here.
     
    stephan2307, Oct 25, 2019 IP
  8. JEET

    JEET Notable Member

    Messages:
    2,690
    Likes Received:
    200
    Best Answers:
    5
    Trophy Points:
    215
    #8
    JEET, Oct 25, 2019 IP
    deathshadow likes this.
  9. NetStar

    NetStar Notable Member

    Messages:
    2,362
    Likes Received:
    501
    Best Answers:
    21
    Trophy Points:
    245
    #9
    Why on earth would you decrypt a password to send it to someone in plaintext via email?? That's horrible advice. The password stays in your database encrypted. If someone does not remember their password then you develop logic to reset the password by replacing the encrypted stored password with a new encrypted stored password. That's not even really the topic. The original poster is confused with thinking there has to be a plaintext exchange of passwords from one system to another. He/She most likely will be using a method to create a persistent session across platforms via some sort of session/transaction ID and cookie.
     
    NetStar, Oct 25, 2019 IP
  10. JEET

    JEET Notable Member

    Messages:
    2,690
    Likes Received:
    200
    Best Answers:
    5
    Trophy Points:
    215
    #10
    @NetStar
    I don't think you understood the question, or my reply.
    He is not sending passwords via email to users.
    He is "using" those stored passwords to perform tasks using cron jobs.
    Automated work.
    FTP service, email service, etc are different services which his code will access using the passwords provided by user.
    He doesn't wants the user to type password again and again, so he wants to store it in a database.
    He knows that storing password in plain text is not safe, so he asked how can he "store" the password safely, retrieve it later and "use" it.

    How else will you do it without encrypting the password before "storing", and then decrypting database retrieved password before "using" it?
     
    JEET, Oct 25, 2019 IP
    deathshadow and stephan2307 like this.
  11. stephan2307

    stephan2307 Well-Known Member

    Messages:
    1,261
    Likes Received:
    29
    Best Answers:
    7
    Trophy Points:
    150
    #11
    Thanks @JEET for clarifying this
     
    stephan2307, Oct 29, 2019 IP
    JEET likes this.
  12. JEET

    JEET Notable Member

    Messages:
    2,690
    Likes Received:
    200
    Best Answers:
    5
    Trophy Points:
    215
    #12
    JEET, Oct 29, 2019 IP