0

I need to store password that our users use to connect to third party services (primarily their database). To add complexity to this, the user might be able to add more users later (of course with the same permission levels) so they would be able to connect to those services as well. What would be the best (secure) way to do it?

Storing the hash (and salt) won't be an option since we need to use the password to access to their third party services.

I know there is oAuth option, but their third party service might not have oauth in place. Also not sure if configuring oauth on their database would be that simple.

Another option is to have another system for storing the password (eg. KMS). Encrypt the service's password with the user's own password (master password) so the system can decrypt it later (but not without user's own password). Something like these:

Is there a better way to do this kind of thing? What would be the security model look like and the checklist to securing it? Or even should I refrain from developing this system at all? Any insight would really be appreciated.

** EDIT **

As some comments suggested, I might be not clear enough on the situation and goals here. So to clarify:

  • We are trying to build a No-Code feature in which user might be able to connect to third party services holding their data or their own database. Something like Bubble
  • As for the goals (and threats), we are trying to make the key (password) relatively un-readable (and un-usable) by external threat or even our own developer but our system (with authorisation from the owner) can still use it
  • Not sure if this is ok to ask here (otherwise just ignore it), but I wonder what kind of method system like Bubble (their database connector plugin) use
  • The links I showed (and given by gusto2) above recommend the use of HSM, which is costly (even for the cloud solution). Is there a lower cost alternative method?
Agustinus Verdy
  • 7,267
  • 6
  • 26
  • 28
  • You may be looking at the wrong site for this; [security.se] would be the best starting place. Note that "is it secure enough" is opinionated. Furthermore, it is impossible to quantify if you don't specify any threat actors and possible attack scenarios. You are right in doubting if you need to implement this in the first place; taking over responsibility of peoples passwords is serious business and may have interesting legal consequences if things go awry. – Maarten Bodewes Nov 03 '21 at 11:01
  • Very similar to [How to securely store customer's API key?](https://stackoverflow.com/questions/69557453/how-to-securely-store-customers-api-key) . There are ways to protect the stored passwors, I just woudn't trust a site/application asking me for 3rd party credentials. It stopped in 90s. For users the standars is OAuth2.. Building a security model, one starts with the thread model. This is not specific enough to get a good answer – gusto2 Nov 04 '21 at 06:20
  • @MaartenBodewes thank you for the suggestion. I was actually thinking of posting there. But most of the search result of similar questions I got were posted here. But I will try moving this question to Information Security section if there is no response here. I have updated my question accordingly though – Agustinus Verdy Nov 05 '21 at 06:43
  • @gusto2 thank you for the link and suggestion, I have made my question clearer (hopefully). I agree, OAuth is a great way dealing with third party services, but I am not sure if setting up OAuth in your own db just to connect to it through a third party system (my system) is a good idea, especially for someone without technical knowledge. But your statement of "not trusting site asking 3rd party credentials" is a good one. So another problem for us is how we convince user that it is safe to connect through us – Agustinus Verdy Nov 05 '21 at 06:50
  • 1
    @verdy (btw an HMS is not needed, KMS should be good enough, plz do not add new questions to the existing, it changes the scope). it is not about convincing users to trust the system, but about not needing to in principle. Example: Why would someone give you their salesforce credentials, when there is another way? (if not, it's a good opportunity to make one) – gusto2 Nov 05 '21 at 07:24

0 Answers0