On Mar 7, 1:44pm, Fearless F. [email protected] wrote:
In our app, users give us sensitive information (credentials for
logging into a third party site). At some point, we need those
credentials in cleartext in order to access the third party site, but
while they’re in our database, we want to make best effort for
What techniques have people used for this? I find myself asking "WWMD
(What Would Mint.com Do?) – any suggestions?
I’ve used Strongbox (https://github.com/spikex/strongbox) to protect
sensitive data before, but that was for an application where the
private key password wasn’t stored on the server at all (requests for
the data were user-initiated and prompted for the password). Your case
sounds like it might be considerably more automated, which
substantially weakens the protection of 99% of systems - if you’re
storing the keys with the data, then an attack which gets one will
likely get the other.