1

Possible Duplicate:
What is the best way to store password in database when API call requires sending of password in plain text?

I'm currently building a website which integrates with a lot of services on the Web, like Delicious, Zootool and so on. Some of these services let me use OAuth to connect to them securely. Other sites, for example Delicious, force me to use HTTP Auth to communicate with them.

Unfortunately this means, I have to store passwords in a way they can be reverted to plain-text. Maybe encrypting using the user's password (hash) from my site would work, but this means the users have to login again into various services after password change.

Any ideas for an elegant solution?

Community
  • 1
  • 1
Mario Uher
  • 12,249
  • 4
  • 42
  • 68

3 Answers3

0

User password hash is in clear on the DB, so same problem. One solution could be to encrypt third parties password using your site user password. When user changes password, ask him old password and new password. Then decrypt 3rd parties passwords with old password and encrypt them with new password.

This will work only as long as you save user's password in clear in your session on any other variable.

This will avoid you to save clear password on db, but you still have clear password in memory.

Paolo
  • 2,461
  • 5
  • 31
  • 45
  • But this means the user has to enter the site's password, everytime they add a new service. – Mario Uher Nov 09 '11 at 13:31
  • My proposition was to save user password in RAM (ie in a ruby variable). Please note that if you store anywhere in the DB your user's non ecrypted password is almost useless to use it to encrypt other passwords in the DB. – Paolo Nov 09 '11 at 13:39
0

Encrypt and decrypt the data. For example using the buildin mysql aes/des methods.

Make sure you don't store the key inside the database as well.

vise
  • 12,713
  • 11
  • 52
  • 64
0

Ok created following class for Mongoid:

class EncryptedString < String
  include Mongoid::Fields::Serializable

  def deserialize(value)
    Gibberish::AES.new(ENV['AES_KEY']).decrypt(value)
  end

  def serialize(value)
    Gibberish::AES.new(ENV['AES_KEY']).encrypt(value)
  end
end

My model code looks something like this:

class User
  include Mongoid::Document

  field :password, type: EncryptedString
end

Any concerns?

Mario Uher
  • 12,249
  • 4
  • 42
  • 68