0

I have a php based web application that manages several other systems including Active Directory and Google Apps. Whenever a user is edited those changes are synced to all of our other systems. Several of the systems require the password be set on their system as well as our system.

Currently all the changes are synced synchronously during the single page request however I would like to have a background process sync all the changes. Is there a reasonably secure way to store the password in a retrievable format for the background process to sync it and then delete it? Unfortunately Active Directory and some of our other systems don't provide a way to send a hashed copy of the password to set the password.

Taylor Jones
  • 98
  • 1
  • 1
  • 10
  • 1
    The password can be encrypted and stored in a database temporarily using `openssl_encrypt()` and a secure key: http://php.net/manual/en/function.openssl-encrypt.php. Just don't try to roll your own encryption, because it more than likely will not be secure. – Jeremy Harris Jul 15 '16 at 19:34
  • @JeremyHarris Please complete the suggestion with how to secure the encryption key. – zaph Jul 15 '16 at 19:43
  • Even better, take a look at this example: http://stackoverflow.com/questions/1391132/two-way-encryption-in-php – Jeremy Harris Jul 15 '16 at 19:45
  • 1
    Keep the password in RAM, do not save to disk. There is a slight chance the memory page will be swapped to disk but that is not as bad as storing in a file. – zaph Jul 15 '16 at 19:45
  • @zaph Do you have any recommendations on how to store it in ram? i.e. the database goes to disk, session is generally stored in disk. – Taylor Jones Jul 15 '16 at 19:48
  • If this is multi-threaded the password could be saved in an array in memory. If multitasking it will be a little more complicated. Note that encrypting it esentially has the same problem with the encryption key. – zaph Jul 15 '16 at 19:51
  • Optimally the syncing will be done by a cron job in case syncing fails it can try again the next time the cron job runs. In that case there is not really a way to pass the password as the process is not spawned from the first process but spawned seperately. – Taylor Jones Jul 15 '16 at 19:56
  • To paraphrase: I had one problem, I tried to solve it with encryption, now I have two problems. – zaph Jul 15 '16 at 19:56
  • What are your monetary restraints and can you add hardware to the server? Also who is the attacker, a scritp kiddie, a nation state or some where in-between? – zaph Jul 15 '16 at 19:57
  • @zaph Yes often solutions to problems inherently have more problems.However sometimes these other problems can be solved so I am trying to explore that avenue to solve them. It may be the best way to go or I may have to find another solution but potentially problems aren't going to keep me from investigating what appears to be the best solution to see if it is doable. If the problems seem too large to combat then I will explore the next greatest solution. You can't tell me you never run into additionally problems in solving the original problem. That is a part of development. – Taylor Jones Jul 15 '16 at 20:02
  • @zaph we have a virtual private server we manage ourselves as such additional hardware for hardware based encryption is not feasible. We are a small company and as such there is not a major attacker we are protecting against however as most encryption questions on this site say even low profile sites can be attacked to try and get passwords to high profile sites. We don't have any major attackers however I would like to use the best security reasonably possible. – Taylor Jones Jul 15 '16 at 20:05
  • I am not saying not to use encryption (or Regular expressions) just that they are generally not a silver bullet and do increase the solution complexity. In particular the encryption key is a hard problem, and somewhat of a tradeoff. If the encryption key used to encrypt the password probably can be passed probably so can the password. – zaph Jul 15 '16 at 20:09
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/117449/discussion-between-taylor-jones-and-zaph). – Taylor Jones Jul 15 '16 at 20:12
  • If no hardware can be added then a HSM is out, note that HSMs tend to encrypt keys, not data. Handing off the updating to another server (virtual or not) that does not have an Internet is an option. Having really good access security to the server is also necessary, limited admin access, two-factor authentication with a hardware token (with a serial number), goes a long way. – zaph Jul 15 '16 at 20:14

0 Answers0