1

I need some help to identify if my solution to store password on database is good (secure). Information security is a complex subject, so I'm not sure if my solution is weak or even overpower.

My application needs to save some users and passwords on database and use them to login in another application. This login happens only on the server side. We can call this users as "Providers". Each provider is identified with an unique id, that come from the front-end application and it's necessary to know what provider needs to be used.

Store the passwords on plain text is not an alternative. So my idea is: cipher each password using some secret key with a different salt per provider. The secret key is saved on the server application (Kubernetes secret) and used, with the salt information, to decipher the passwords.

So, we will have a table like this:

+------------+-------------------------+---------------------+----+
|    Name    |        Password         |         Salt        | id |
+------------+-------------------------+---------------------+----+
| Provider 1 | 7c73c5a83fa580b5d6f8208 | feacbc02a3a697b0    | 23 |
| Provider 2 | 23291ac8bc335a1277a39d2 | 3a6acbc02a97b0fe    | 88 |
+------------+-------------------------+---------------------+----+

As the quantity of Providers is very low (no more than 20), a different salt per provider seems a bit to much for me, but is a safer solution.

So, my question is: Is this solution secure for my scenario?

Dherik
  • 17,757
  • 11
  • 115
  • 164
  • 2
    When you say "cipher", what do you mean? If you mean "encrypt" then that's not good enough - it should be a strong 1-way hash, (so something like md5 is out as well) – General_Twyckenham Dec 27 '18 at 19:35
  • It's `encrypt`, I think (I don't know the difference, sorry). For reference, I will use the Spring to do that: https://stackoverflow.com/a/19485874/2387977. The default is 256-bit AES using PKCS #5's PBKDF2 – Dherik Dec 27 '18 at 19:39
  • Why do you need the password to be "decryptable"? – General_Twyckenham Dec 27 '18 at 19:40
  • I need to pass this password to another application, to be able to do some operations there. – Dherik Dec 27 '18 at 19:41
  • Right - so I'd *highly* recommend investigating the differences between `encryption` and `hashing` before you continue; securely storing information is a major issue and the risks are considerable – General_Twyckenham Dec 27 '18 at 20:02
  • Encryption is not good enough, an attacker will get the DB and the encryption key, assume the attacker will gain admin access. Solutions include using an HSM or keeping the encrypted passwords on a server that is not connected to the Internet and adding rate limiting and alarming. It is not easy. If there is any way to get around requiring recoverable (decrypted) passwords do it. – zaph Dec 27 '18 at 21:31

0 Answers0