tags:

views:

95

answers:

5
+4  Q: 

Can passwords for other sites be stored securely?

My university has a portal which students use to register for classes. If you want to get into a full class, you have to keep checking the portal, and sign up when the class has an opening.

I wrote a tool that can check for openings and register automatically, but it needs the students university username and password. These passwords are tied to email accounts, network shares, server logins, and most every other university service.

Is there any way to do this securely?

A: 

You could encrypt the password strings when you store them and then decrypt them when you need to try logging in. Simply generate a symmetric key and use that to encrypt and decrypt the passwords for storage and retrieval (respectively).

Jack  2009-10-09 21:43:15
And where do you store the key?
Martin v. Löwis  2009-10-09 21:45:55
I could, but wouldn't the decryption code have to be sitting on my server right along with the encrypted passwords?
ABentSpoon  2009-10-09 21:46:15
@ABentSpoon: Martin's asserting that storing encrypted passwords (along with the encryption key), is no more secure than just storing the passwords - and he's right. And yes, you can't "hide" your decryption code - the algorithms are well-understood.
Michael Petrotta  2009-10-09 22:15:41
A: 

You can't store them entirely secure because you'd need to be able to encrypt and decrypt so one-way hash algorithms like MD5, SHA-1, SHA-2 wouldn't suffice. You could look into something like DES or Triple-DES encryption.

Taylor Leese  2009-10-09 21:44:43
So where do you store the symmetric key for DES or Triple-DES?
Martin v. Löwis  2009-10-09 21:50:24
Good question. That's why I said it's not entirely secure.
Taylor Leese  2009-10-09 21:55:55
I'd say that encrypting the password with a different one doesn't improve security at all.
Martin v. Löwis  2009-10-09 21:58:49
+3  A: 

In security, the most important thing is the "threat model". What kind of attack do you fear?

  • somebody may steal the computer where this program runs on: put the computer in a locked room.
  • somebody may hack into the computer and read it from memory: use firewalls and other protection against remote attacks
  • other users may read the hard disk where the password is stored: only store the password in memory (which would require re-entering it every time you start the program)
  • the super user may read the password even if it is in memory: only run the program on a computer where you trust the superuser.

etc.

Martin v. Löwis  2009-10-09 21:49:34
Storing the encryption key in memory sounds like a pretty good idea. I'm not sure how much extra security it would really provide, but it would at least trip up an attacker for a little while, perhaps long enough to detect the attack and stop the servie.
ABentSpoon  2009-10-09 22:14:47
If you ever needed to restart the service then you wouldn't be able to decrypt the passwords though. That's the biggest problem I see with this rather than the lack of security.
Taylor Leese  2009-10-09 22:53:11
+1  A: 

Unfortunately, this is not really possible -- at least not the way you want to do it -- unless the university provides a key-based authentication API. You could always ask them nicely, but they'll probably be too busy to help. If you give your users full disclosure and keep your server secure, it should be enough.

Actually, there is one way to do it through the web without storing passwords -- you could use a Java or Flash app. Unfortunately your users would need to leave the browser open while the app does its work, but this way you wouldn't need to store the information.

Brett Coburn  2009-10-09 21:55:18
I suppose I could even have them download a client which would run in the background.I think the full disclosure and general security is the way to go though. It will be running on my slicehost account, which I assume should be relatively secure...
ABentSpoon  2009-10-09 22:07:43
A: 

I do not think there is. As Martin pointed out one way encryption won't do it for you. Also this will create a maintenance nightmare for you - every time a user changes password you will have to update your data.

I think to make it really work you have to change the design: find a way to do the registration without the user password, i.e. talk to the owners of the app if they would give you an account through which you can do registration on behalf of somebody else

mfeingold  2009-10-09 22:03:55

related questions

Web framework programming mindset
ASP.NET - asp:xxx Controls versus standard HTML
From Desktop to Web browser considerations
Which PHP Framework will get me to a usable UI the fastest?
Best practice for integrating TDD with web application development?
How to Manage Web Development?
When is a file just a file?
Recommendations for browser add-on tools to help with development
REALLY Simple Website--How Basic Can You Go?
Convince Firefox to send an If-Modified-Since header over HTTPS
What do the getUTC* methods on the date object do?
Planning and Building a mobile enabled site for your main site.
Firebug for IE
Javascript and PHP - Login Script with hidden buttons
Firebug won't display console feeds for some of my sites
Displaying ad content from Respose.WriteFile()/ Response.ContentType
How can I detect if a browser is blocking an popup?
How to Test Web Code?
What PHP framework would you choose for a new application and why?
How do you disable browser Autocomplete on web form field / input tag?
What is Progressive Enhancement?
In HTML, how to word-break on a dash?
The Definitive Guide To Website Authentication
How do you test layout design across multiple browsers/OSs?
How much of the Web build process do you/should you automate?