Welcome to WebmasterWorld Guest from 54.145.83.128

Forum Moderators: open

Message Too Old, No Replies

Secure way to store third party passwords without reasking users?

     
9:11 pm on Aug 31, 2010 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member jab_creations is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 26, 2004
posts: 3158
votes: 14


I'm curious to if there is a reliable way to securely store passwords in a database that aren't plain-text that are used to access third party websites? In example I salt and pepper passwords, hash them, and then compare hashes however you can't send a hashed password to a third party and expect it to work though at the same time you don't want to store passwords as plain text at the risk of giving away all of a company's passwords should the database be stolen or compromised?

- John
10:14 pm on Aug 31, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 15, 2003
posts:2606
votes: 0


Not 100% sure what it is you are trying to do.

Do you want it so someone can give login credentials on your site that would log them into a different site?
10:35 pm on Aug 31, 2010 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member jab_creations is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 26, 2004
posts:3158
votes: 14


I'm not trying to do this though yes. I've seen sites that want to take your authentication credentials for third parties (you are first, they are second, credentials are third party) and store them in their database so they don't request the same credentials over and over again.

- John
10:51 pm on Aug 31, 2010 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member whoisgregg is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Dec 9, 2003
posts:3416
votes: 0


If you use something like mcrypt to encrypt the passwords, then someone hacking the database would have a long way to go to decrypt what they find there.

However, if they also get access to the PHP file that stores the key, then it's game over.