|
Posted by Alvaro G. Vicario on 07/03/06 17:05
I’m writing a web application that needs to keep passwords in a database.
These passwords are for third-party services and are different from the
regular login passwords.
I don’t like storing this sensitive info as plain text and one-way hashing
is not an option because I need the actual passwords. I’ve done some quick
research and it seems that symmetric encryption algorithms (blowfish, AES…)
provide a reasonable solution—I don’t need a 100% hacker-proof system but I
don’t want my security to be too dumb.
These encryption methods, of course, rely on secret keys. And that’s my
doubt: how do I keep these keys so the system is not too insecure? An
include file with a constant or variable must be world-readable if I want
to use if from a web site. If I use the regular login password as key (it’s
stored as an MD5 hash so it has to be typed every time), users will lose
all their passwords whenever they forget their login info.
I’d appreciate any tips or suggestions, as well as links where this
specific problem is discussed.
--
-+ http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
++ Mi sitio sobre programación web: http://bits.demogracia.com
+- Mi web de humor con rayos UVA: http://www.demogracia.com
--
[Back to original message]
|