Crypted passwords in PHP-apis? Twitter?

Question

Hello

I'm creating a small service using api-libraries, such as Twitter. Is it possible to input users password to Twitter-api crypted. I would not like to store peoples passwords uncrypted on my server, but writing them every time is annoying.

Does someone know?

Martti Laine

Answer 1

Hi,

If you're using PHP you can use the GnuPG extension to easily encrypt any credentials on your side, and decrypting them before making the API calls.

Here's a check list of things you need:

1. make sure gpg is installed on your system;
2. create a gpg key pair and store the files on a safe location;
3. optionally password protect the generated private key;
4. use PHP's GnuPG extension to encrypt and decrypt data using those keys.

Here's a small PHP example, taken from the gnupg_encrypt() manual:

<?php
$res = gnupg_init();
gnupg_addencryptkey($res,"8660281B6051D071D94B5B230549F9DC851566DC");
$enc = gnupg_encrypt($res, "just a test");
echo $enc;
?>

This technique should also be applied even if you're using OAuth or other password-less authentication method. A common mistake is to use OAuth and not encrypt locally saved tokens as access to those tokens might give anyone the power to act on behalf of the user.

Answer 2

You should consider using OAuth.
Here are some examples.