1

Sometimes stupid things come to mind but I'm wondering if you could share some insight on this situation.

Let's say I want to create a sort of service which is able to connect to a remote server (via FTP or something else). If someone would create an account for the service they would need to store their login credentials. Naturally you want to save the data secure and many topics on password hashing exist. But what if you need to use that password later? In this case; to connect to the remote host.

A real life example: I'm using the services of CodeAnywhere in case I don't have access to a computer with development software. This situation applies there as well.

The connection then goes from server A to server B. On server A stuff (files) are managed using server B. On server B an account is created to use the service from server B and a connection is made to server A, storing the authorisation data for server A.

Are people creating their own "hashing" rules to be able to store something like mypassword as drowsappym. In this example the password is reverted. But other things come to mind as well: use unicode points for each character, or create a mapping schema for each character (for example a=i,b=Q,c=*, and so on..). Of course you don't want to only secure the password, but all authorisation data.

Looking forward to the replies.

Ben Fransen
  • 10,884
  • 18
  • 76
  • 129
  • ...are you looking for something like [enpass](http://enpass.io)? – ʰᵈˑ Apr 24 '15 at 09:33
  • I'm not specifically looking for an app. I'm looking for the techniques/best practises to use when you want to achieve this goal. – Ben Fransen Apr 24 '15 at 09:36
  • 1
    How about using RSA authentication? Assuming you can transfer your private key? – ʰᵈˑ Apr 24 '15 at 09:38
  • The public/private key couple is definitly what you need in order to insure symetricity of the encryption(and be able to retrieve your password). – Answers_Seeker Apr 24 '15 at 09:39
  • Are you using MySQL? – Sid Apr 24 '15 at 09:39
  • MySQL is presumably the used database engine considering we're on the web (and it's freely available). I would have to read up on RSA. But when using CodeAnywhere I never uploaded/did anything with certificates. – Ben Fransen Apr 24 '15 at 09:46

1 Answers1

1

I would like to explain two ways that I would use.

  1. Use mcrypt_encrypt to store encrypt the password and later use mcrypt_decrypt to get the plain text password.
  2. If you are working with MySQL then you should have also a look at DES_ENCRYPT

These are the fastest ways I guess and they also provide some pretty decent security, of course if someone breaks in your system then it can be a problem but it will also happen if you use RSA which is more complex to use as well.

Sid
  • 14,176
  • 7
  • 40
  • 48
  • Both interested ways to achieve the goal but what if the database gets hacked. Then it would be an easy task to try some of these methods and check if the credentials match. I didn't knew about these functions, so it was good to read up on them. +1 – Ben Fransen Apr 24 '15 at 09:56
  • If you you use mcrypt_encrypt even if your DB got hacked and you have your key store in a PHP file there will be no way to decrypt (easily). But if you system gets hacked then there is no way to secure the password as some where in your logic at some point there will be the way to decrpyt. This is why we usually use non-revertable hash to store passwords – Sid Apr 24 '15 at 10:00
  • I agree with you. Using salts in the code eliminates (or difficults) the problem. And true, when everything is compromised there's not much left to do except to think about how you could be hacked in the first place. – Ben Fransen Apr 24 '15 at 10:08
  • @Ben Exactly, so I guess for your prupose this is way to got if you need plain text password later! – Sid Apr 24 '15 at 10:21