Secure password storage

Hi,

I am building a web application that will require the storage of sensitive user information, such as their login info to certain other sites. What would be the best way to handle this?

I was thinking of encrypting it with mcrypt using a random key which is stored on a different server. What do you think?

 

Hm, well you will need to re decrypt those info, right?

if thats the case, you will need to keep the decrypting easy for you, but very hard for anyone who gets the hash, I dont really know how this info is stored, and what would youi use them for, but for an easy decrypting for you, and hard on the others..

base64 with salts maybe, if the salts where stored on a secure place on server, this way the unauthorized user cant get access to it..

please give me more info so I can help out more.

 

a stupid example: a tool that would track a users' daily new forum posts count.

The user signs up to my site and enters the forum urls + associated logins and password. My site automatically logs in to these forums once a day, scrapes new post counts and sends the user a daily report.

So yes, the data must be decryptable, preferably without user-interaction.

 

Okay, my way would be using base64_encode();

but...

more like:

$salt_a = "#!_123!&&&^^";
$salt_b = "_!@$1444123";
$pass = "userpasshere";
$hash = base64_encode($salt_a . $pass . $salt_b);
--

and then to deocode it


$salt_a = "#!_123!&&&^^";
$salt_b = "_!@$1444123";
$hashed = "the_hashed_value";
$clean_a = base64_decode($hashed);
$clean_a = str_replace($salt_a, "", $clean_a);
$clean_a = str_replace($salt_b, "", $clean_a);

yea, thats not that good I know. but thats the basic idea... I dont know of any easier way to decrypt the passwords, sorry

 

The unfortunate truth of it is that if your application can decrypt the sensitive information then a hacker who gets access to your server would be able to do the same thing.

I would start by asking myself if there was a way I could avoid storing the sensitive information. Can you get the information out of the third-party forums without logging in as the user in question ? Can you have a single, generic account that will suffice ? Is there a way of having fewer privileges as the user on the third-party site while still getting the information you need ? Is there already an RSS feed of the information you want ?

Facebook (and other social networking sites) ask you for your username and password for you gmail, yahoo and hotmail accounts so they can get your address book and invite all of the people in it to join your network. I have read, however, that there is an API available to Gmail that enables you to get this information without needing the user's password. If this isn't available at the third-party site that you want to interact with, ask them why not...

Assuming that there isn't an API or RSS feed and you can't convince the third-party to make one, the other thing I would do would be to limit the possible damage by making sure that you can only retrieve one set of sensitive information at a time.
You can enforce this by encrypting the sensitive information with a key based on the user's password. The sensitive information can only be decrypted and used as the user logs in to your site. The key to decrypting the sensitive information is never stored on any of your servers. (This may not fit with your plans of non-user-interaction... but it may provide an incentive for your users to log in to your site more often )

In the end, encrypting data on a server with the decryption key available to the server is not much better than leaving the data unencrypted.

 

Hmm yes but i was think about keeping the decryption key on a different server so the hacker would need to gain access to both servers. But now that i think of it that is quite useless...still needs user interaction unless server 1 has access to server 2 which makes it exploitable again

I'll simply return the encryption key to the user and data will be scraped whenever he/she logins with it.