Secure way to store third party passwords without reasking users?

Forum Moderators: open

Message Too Old, No Replies

Secure way to store third party passwords without reasking users?

JAB Creations

9:11 pm on Aug 31, 2010 (gmt 0)

I'm curious to if there is a reliable way to securely store passwords in a database that aren't plain-text that are used to access third party websites? In example I salt and pepper passwords, hash them, and then compare hashes however you can't send a hashed password to a third party and expect it to work though at the same time you don't want to store passwords as plain text at the risk of giving away all of a company's passwords should the database be stolen or compromised?

- John

Demaestro

10:14 pm on Aug 31, 2010 (gmt 0)

Not 100% sure what it is you are trying to do.

Do you want it so someone can give login credentials on your site that would log them into a different site?

JAB Creations

10:35 pm on Aug 31, 2010 (gmt 0)

I'm not trying to do this though yes. I've seen sites that want to take your authentication credentials for third parties (you are first, they are second, credentials are third party) and store them in their database so they don't request the same credentials over and over again.

- John

whoisgregg

10:51 pm on Aug 31, 2010 (gmt 0)

If you use something like mcrypt to encrypt the passwords, then someone hacking the database would have a long way to go to decrypt what they find there.

However, if they also get access to the PHP file that stores the key, then it's game over.