I’ve been kind of stumped on this one lately . . .
I’m planning on adding syncing and interfacing in my application to a
couple other web apps through their API’s (specifically Basecamp and
del.icio.us). How can I store users’ login credentials to these other
services securely? Obviously a regular MD5 or SHA1 hash wont work,
because I need to be able to retrieve the full password to send to
these services.
Any ideas?
–AQ
{0}~---------------------------------
Aaron Quint
[email protected]
http://www.quirkey.com
Yeah, fundamentally there’s no really secure way to do it. To avoid
storing clear-text passwords, you can use a 2-way (reversible)
encryption function to store the foreign password. Basically encrypt
the password to save it, then decrypt it when you need to use it.
The problem is that if your app can decrypt the password, then so can
an attacker. You can add salt to the encryption, but it will still be
possible to break the encryption, especially if the attacker can get
access to your code.
One approach is the “key store” approach used by common password vault
systems. Here you encrypt the passwords using a “master password” given
to you by the user. The trick is that you NEVER store this password.
Instead, you ask the user for it whenever you need to decrypt and use
on of the stored passwords.
This should be pretty secure, but obviously at the disadvantage of
requiring the user to type in the master password frequently.
I figured there was no easy solution. What about using the database
stored hash of the users password as the salt for encryption? This
way every users salt is different, and a little more secure.
The problem with using the “key store” approach is that if the user
is constantly entering a password, there’s no real advantage to
storing the passwords at all . . .
Is there an easy way to do salted two way encryption in Ruby? What
types of encryption are two way?
Thanks for your help!
–AQ
{o}~~~~~~~~~~~~~~~~~~~
Aaron Quint
[email protected]
http://www.quirkey.com