2

I want to store some passwords on my database at server.

The passwords should be recoverable, since I want to use them for a third-party api which needs the password. (So I can't use one-way methods like md5...)

What is the best method to save passwords in database? Isn't there any better way than storing plain text?

Mahdi Ghiasi
  • 14,873
  • 19
  • 71
  • 119
  • You can encrypt them, but that only shifts the problem to storing the master key. – CodesInChaos Jul 24 '12 at 17:04
  • And placing the master key on another database, to avoid SQL Injection attacks, maybe?? – Mahdi Ghiasi Jul 24 '12 at 17:05
  • md5 is a broken one-way method... just for the record. – Eric J. Jul 24 '12 at 17:05
  • @EricJ. That's a misleading statement in this context. The reason why md5 isn't fit for password hashing is its speed, and not its broken collision resistance. Plain SHA-2 would be almost as bad. – CodesInChaos Jul 24 '12 at 17:07
  • @CodesInChaos: *it has since been shown that MD5 is not collision resistant* http://en.wikipedia.org/wiki/MD5, reference http://merlot.usc.edu/csac-f06/papers/Wang05a.pdf – Eric J. Jul 24 '12 at 17:13
  • 1
    @EricJ. I know. But that's irrelevant in this context. We only require first pre-image resistance. Of course one would avoid it, because confidence in MD5's pre-image resistance is lower than for modern hashes. The important points for password hashing are a high number of iterations and a salt. Choice of primitive is secondary. – CodesInChaos Jul 24 '12 at 17:16
  • @CodesInChaos: I agree that salt + many iterations makes the choice secondary. Still, why begin with a cryptographically weaker hash algorithm. – Eric J. Jul 24 '12 at 17:19

1 Answers1

2

AES is cryptographically sound and probably the most common encryption (as opposed to hashing) mechanism selected for new applications.

Take care to generate a random initialization vector (IV) for each password that you encrypt, and store the Key and the IV separately from the encrypted password bytes.

To understand differences between AES and Rijndael check out

http://blogs.msdn.com/b/shawnfa/archive/2006/10/09/the-differences-between-rijndael-and-aes.aspx

there are some differences between Rijndael and the official FIPS-197 specification for AES

You should use a unique IV per user. However, storing the key-per-user makes for a complex key management scenario. I would suggest one key for the application and an IV per user.

The IV can be saved alongside the ciphertext. The key should be stored outside of the database.

You could store the key, encrypted, in web.config. See this.

Community
  • 1
  • 1
Eric J.
  • 147,927
  • 63
  • 340
  • 553
  • You should use a unique IV per user. However, storing the key-per-user makes for a complex key management scenario. I would suggest one key for the application and an IV per user. – Eric J. Jul 24 '12 at 17:11
  • Storing the IV separately from the ciphertext is unusual. Prepending the IV to the ciphertext is standard. – CodesInChaos Jul 24 '12 at 17:11
  • And where should I save each IV? (in another database for avoid SQL Injection attacks? or ...) – Mahdi Ghiasi Jul 24 '12 at 17:12
  • The IV can be saved alongside the ciphertext. The key should be stored outside of the database. – Eric J. Jul 24 '12 at 17:16
  • And where should I store the Key? inside code? in a file? in web.config? in another database? or ...? – Mahdi Ghiasi Jul 24 '12 at 17:17
  • You could store the key, encrypted, in web.config. http://stackoverflow.com/questions/54200/encrypting-appsettings-in-web-config – Eric J. Jul 24 '12 at 17:25
  • Thanks, and can you please put these information (that you provided in comments) in your answer text? – Mahdi Ghiasi Jul 24 '12 at 17:28
  • A problem: I can't use that command-line tool, since I'm using a Shared Hosting. What should I do? – Mahdi Ghiasi Jul 24 '12 at 17:32
  • 1
    Have a look at the options here: http://stackoverflow.com/questions/1349130/encrypting-web-config-on-shared-hosting – Eric J. Jul 24 '12 at 18:21
  • Which one should I use? Rijndael or AES?? – Mahdi Ghiasi Jul 25 '12 at 09:36
  • If you contract for the US government or a Fortune 1000 company, probably AES as it is FIPS compliant. Otherwise either will be fine. – Eric J. Jul 25 '12 at 17:46