-2

I need to store the user's mail password in a database to send mails later, but how can I store the password in a secure way?

This password can't be one hand encrypted because I need it later to fire the e-mail with SMTP.

Actually in this case I may request the password every time I fire the e-mail or a pin to decrypt the email's password.

How can I encrypt a string with a key to decrypt?

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
SpaceDogCS
  • 2,808
  • 3
  • 20
  • 49

1 Answers1

3

This password can't be one hand encrypted because I need it later to fire the e-mail with SMTP.

And then you go on to say...

It cant be an encripty that anyone can decrypt like md5 cause it still unsecure

You can't encrypt something in a way that can't be decrypted and expect to be able to decrypt it yourself.

Additionally, MD5 isn't encryption; it's a hash. A one-way function. You can't take the output from MD5 and deterministically get the input. That's impossible. What is possible is generating a "rainbow table" from known inputs and reversing that way.

You need plain ol' symmetrical encryption. AES is a usual go-to for this. What matters most here is how you handle your keys, as once someone has the key, they can decrypt the data. Start by ensuring that you're using a different key for each record. You can do this using a key derivation algorithm. You still need to keep your master keys safe though.

I need to store the user's mail password in a database to send mails later

Are you absolutely sure you need to do this? Consider alternatives:

  • Send e-mail on behalf of someone. It's common to use their name, but not their e-mail address in sending the e-mail, and then setting a Reply-To to go back to the original user.
  • If you're authorized on the e-mail server, you can send e-mail on behalf of someone without having their credentials.
Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Brad
  • 159,648
  • 54
  • 349
  • 530
  • 2
    A users password should never be decrypted. There isn't a valid use case for this. If you need to perform actions on a users behalf, use OAuth flow, or some type of API/Token system - every mail provider provides both of these options. Advising insecure methods is why I've downvoted you. – Kaylined Jul 18 '18 at 15:52
  • 3
    @Kaylined There *is* the occasional use case. Don't make assumptions about what every mail provider supports. I myself have been in situation when interfacing with some ugly decades-old systems where I had no choice but to create accounts and interface with them in this way. I do agree that probably isn't the case here however, which is why I added that bit at the end to consider alternatives. – Brad Jul 18 '18 at 15:54
  • @Kaylined I'm not aware of any low-level SMTP relay that supports OAuth, let alone "every mail provider". Token-based authentication is something that services added decades later as an entirely separate authentication layer. If the question expressly mentioned gmail / etc, then sure, but it doesn't. – iainn Jul 18 '18 at 16:01
  • 1
    @iainn gmail, msexchange, mailchimp, sendgrid, sendpulse, all support OAuth - GoDaddy, Gatorhost and all the low-end shared hosts offer some form of tokenized auth rather than user/pass as well. – Kaylined Jul 18 '18 at 16:04
  • 1
    And like I say, if the question mentioned any of them, then fine. But it just says SMTP. – iainn Jul 18 '18 at 16:04
  • @Brad thank you for answering, I'm new at encrypting and english is not my native language, so sometimes I cant explain so well. 1. Yes, I need to store it somewhere, I think that in the database is the safest way. 2. The mail server that I use dont allow to change the from e-mail, for fraud security. I read some articles and thought about the plain ol' symmetrical encryption, one key stays in the server and the other one just the user can provide, right? but where do I store the user's key? cookie? session? – SpaceDogCS Jul 18 '18 at 16:19
  • 1
    @SpaceDogCS Don't literally change the "from" address, make it from `nobody@your-mail-server.example.com` or something. But, put the display name as the person you're sending on behalf of, and the `reply-to` to their e-mail address. This isn't always acceptable, but is a good option for many use cases. – Brad Jul 18 '18 at 16:21
  • @SpaceDogCS For symmetric encryption, you will maintain all the keys. Asymmetric encryption is where you have a public and private key, and either one can encrypt for the other to decrypt. An e-mail address is small enough that you could use asymmetric encryption, but I don't see the benefit here unless I'm misunderstanding how you're setting up your system. Do use a key derivation algorithm though, to reduce the likelihood of someone being able to decrypt the whole table. – Brad Jul 18 '18 at 16:23
  • 2
    Saving plain text passwords on the server is not secure. One must assume that an attacker will obtain admin access to the server, this risk must be addressed. There are secure solutions such as HSMs but they are not cheap. Better to really consider if the service you want to creaet is worth putting user's passwords at risk. – zaph Jul 18 '18 at 16:25
  • @zaph Agreed. And to re-iterate, there is a pretty high likelihood this will get hijacked st some point. This isn't something you want to build unless you have no choice, and then all you can do is mitigate damage. – Brad Jul 18 '18 at 16:26
  • 2
    @Brad Yes, I'm going to do that way, send from an e-mail, show another name, and add the client e-mail in reply-to. But my client wants to send from his e-mail domain, but don't want to share any password with me. I'll try to convence him to create another mail just to fire the e-mail – SpaceDogCS Jul 18 '18 at 16:28
  • 1
    Or than, request the email password every time I fire one, or another pin that decrypt the e-mail password – SpaceDogCS Jul 18 '18 at 16:29
  • @SpaceDogCS Good! Yes, that'd be much better. – Brad Jul 18 '18 at 16:30
  • @Brad Thank you for helping :D – SpaceDogCS Jul 18 '18 at 16:31