Posted by Colin McKinnon on 07/03/06 21:55

Mark wrote:

>
> Alvaro G. Vicario wrote:
>> I'm writing a web application that needs to keep passwords in a database.
>> These passwords are for third-party services and are different from the
>> regular login passwords.
>>
>
> I'm probably the most educated person in this field, but if you just
> store one key in a PHP file, it would be pretty hard to hack wouldn't
> it? Don't put it in a database or anything, just include it where ever
> you do your checking.
>
> $key = 'aerg34aerg324eth'; // random
>

A solution is either secure by design or its insecure. That suggestion is
insecure.

better solutions (?):

1) keep all the passwords in a file encrypted with a master key. Don't keep
the key on the server - ask the user to supply it. Note that you'll
probably end up storing it in cleartext in a session which is nearly as bad
as keeping it in a PHP file though, and it's not very handy when you want
to share the passwords.

2) use shared secret encryption. While this will allow you to have multiple
users securely accessing the password (use a quorum of 2 and keep one
password on the server unencrypted, and one encrypted with the users
password) it doesn't scale well and is difficult to manage. Still have
session isolation problem.

3) use assymetric encryption to distribute the password to the users (stored
on the server) - each users copy is encrypted using their public key. User
needs to provide their passphrase to decrypt using their public key on the
server. This is very secure and scales well. Still doesn't solve the
session isolation problem though.

There are ways to solve the session isolation problem...but you've probably
got enough to think about.

C.

[Back to original message]