Storing Passwords for External APIs - Best Practice

Question

If I built an application that accessed some of the data from say Gmail, Twitter and Facebook, and I want the user to be able to only have to enter their authentication info once, and it's reset after some days or weeks, what is the best way to do this, dynamically, in Ruby?

I see a lot of people just having a config file of their clients'/users' credentials like so:

gmail_account:
    username: myClient
    password: myClientsPassword

This seems a) like it's very insecure, and b) it wouldn't work if I wanted to store this kind of information for thousands of users. What is the recommended way to do this?

I would like to be able to build an interface on top of these services, so having to enter credentials every time the user made a transaction isn't feasible.

Answer 1

This is the way it works for instance for fetcmailrc which has to be chmod to 600 (readeable and writable only by his owner). And yes, it contains the plain password.

Answer 2

Such services are providing OpenAuth authorization. You are strongly recommended to have a look at it.

Answer 3

If you're comforatable with the potential liability when a hacker gets into your database / filesystem, then go for it. And in all fairness, you should also disclose to your users that their passwords will be stored on your system, and let them decide if they want to give your program that level of trust.

But why do this in the first place? Facebook Connect and Twitter & Google using OAuth there's no need for you to store user passwords at all. At some point a user's cookies will expire (or they'll try to access your site from another computer) and they'll have to re-authenticate. You can't prevent re-authentication - instead, you should make it as easy for the end user to handle as possible.

Answer 4

Security

I assume your application needs to know the password in plaintext. Then there is no way around storing it in some kind of plain way.

• Store in some kind of encoded way eg. Base64, this protects you from knowing password when looking through the database with your eyes, but it does not protect you from anything else.
• Ensure that the files are not readable from any other user
• Encrypt your harddrive, so nobody can get the passwords from stealing your harddrive. Your computer will require inputung you the password during booting.

Storing

There is nothing wrong with storing much data in your filesystem. For better performance you can do the following

• One file for each user, so the filesystem and not ruby needs to search for the data
• Make a lot of subdirectorys. Some filessystems performance suffer's if you put to many files into one directory. eg. put the file 'abcd' into 'a/b/c/d'

You could use a database instead of the filesystem

Answer 5

Check also this one :

http://stackoverflow.com/questions/1484440/saving-passwords-inside-an-application

Answer 6

I would strongly suggest you to use OAuth, but if you have to store the passwords (please be absolutely sure that you need to do it) you could use the OpenSSL library to encrypt the passwords. The OpenSSL library is quite poorly documented in Ruby, but as far as I know they are quite similar to the C OpenSSL library. Since I think you should use OAuth, and not storing the passwords I'll let you find the documentation yourself.

However, for the OAuth approach, you want to take a look at the OAuth gem. Google, Twitter (which I recommend you to use the excellent twitter gem for) and facebook (which has two seemingly good alternatives: RFacebook and facebooker)