tags:

views:

219

answers:

7
+3  Q: 

How can we store password other than plain text?

I've found numerous posts on stackoverflow on how to store user passwords. However, I need to know what is the best way to store a password that my application needs to communicate with another application via the web? Currently, our web app needs to transmit data to a remote website. To upload the data, our web app reads the password from a text file and creates the header with payloads and submits via https.

This password in plain text on the file system is the issue. Is there any way to store the password more securely?

This is a linux os and the application is written in python and is not compiled.

Thanks!

Further clarification: There are no users involved in this process at all. The password stored in the file system is used by the other web app to authenticate the web app that is making the request. To put it in the words of a commenter below: "In this case, the application is the client to another remote application." (Thanks Joe for helping me clarify.)

+1  A: 

You can store it as a result of hash algorithm, this is one way algorithm (eg. MD5 or SHA). On authentication you calc MD5 of password typed by user and checking equality with your stored MD5 password hash for this user. If is equal password is ok.

For more information about hasing algorithms you can visit:

Svisstack  2010-04-18 21:51:00
I use this, it's a good method
Chris  2010-04-18 21:52:59
Sorry, but the issue is storing a password on the file system... This password is needed to authenticate by the other web app.
Eric  2010-04-18 21:53:22
This method don't force your's transmision protocol or filesystem data store. Is only algorithm, you can use it for calculate secure shortcut from your secret string. If your's implementation of this option don't have error's (error == dont using seed's). You can know, the hacker don calculate the orginal string for your shortcuts. And from 2 same orginal strings you have this same shortcut.
Svisstack  2010-04-18 21:58:12
A hash does NOT work here; the OP needs the ability to get the original password back, which MD5/SHA will not let you do. In this case, the application is the client to another remote application.
Joe  2010-04-18 22:25:59
Thank you Joe for helping me clarify. I edited my original comment and added the way you put it. Hopefully that will help. Thanks! :)
Eric  2010-04-18 22:32:19
+1  A: 

You can use a two-way key encryption algorithms like RSA, The password is stored encrypted (by a key, which is stored in the user's brain) on the filesystem, but to decode the password, the user must enter the key.

SHiNKiROU  2010-04-18 21:51:04
Sorry, I don't understand this. This is an automated process of sending the data to the remote server. There will be no person in the middle to type anything. Did I misunderstand? Thx
Eric  2010-04-18 21:55:13
It has the issue of the user having to provide an input himself, but no method can be really secure and avoid this (if the application can retrieve the password without user interaction, then anyone able to reverse-engineer the application can too).
herenvardo  2010-04-18 21:55:54
+1  A: 

At the very least you should use permissions (if you are on a filesystem which supports them) to ensure that you are the only one able to read the file.

In addition, if your app is compiled, it would not be too difficult to encrypt the password with a hard-coded passphrase. If the code is not compiled this method wouldn't really be helpful, as a would-be attacker could just read the source and determine the encryption.

Jared Forsyth  2010-04-18 21:51:58
This is a linux based OS. And, this application is not compiled. Thanks for the permissions suggestion.
Eric  2010-04-18 21:57:33
A: 

Is your web application hosted on a farm? If not then a technology such as DPAPI will allow you to encrypt the password so that it can only be decrypted on the machine it was encrypted on.

From memory there can be problems with using it on a web farm though, as you need to go and re-encrypt the value for each server.

If it is a web farm then you probably want to use some form of RSA encryption as has been suggested in other answers.

EDIT: DPAPI is only good if you are hosting on windows of course...

Glenn Condron  2010-04-18 21:55:23
A: 

I don't think you are understanding the answers provided. You don't ever store a plain-text password anywhere, nor do you transmit it to another device.

You wrote: Sorry, but the issue is storing a password on the file system... This password is needed to authenticate by the other web app.

You can't count on file system protections to keep plain-text safe which is why others have responded that you need SHA or similar. If you think that a hashed password can't be sufficient for authentication, you don't understand the relevant algorithm:

  1. get password P from user
  2. store encrypted (e.g. salted hash) password Q someplace relatively secure
  3. forget P (even clear the buffer you used to read it)
  4. send Q to remote host H
  5. H gets password P' from user when needed
  6. H computes Q' from P', compares Q' to Q for equality
msw  2010-04-18 22:13:55
It seems the questioner is asking about your step 2: "store ... password someplace relatively secure". The problem is that no matter how well hashed the password is, all a hacker needs are the hashed bytes. If the security of the 'someplace' is compromised, the hacker can submit whatever they like to the external app, without needing to know what the original plain-text password was.
Ray  2010-04-18 22:18:42
I must not have explained my point. This also does not solve the issue. The password that is stored in plain text on our file system is needed to authenticate the web application which is making the request to the other web application. There are no users involved. We write this password to the file system via SSH and it is never given to us by a third person/app. Again, there are no users involved. Thanks.
Eric  2010-04-18 22:21:39
+3  A: 

I don't think you will find a foolproof way to do this. I would suggest a combination of things to achieve 'security by obscurity':

  • store the password file on a different computer than the one which will use it
  • store the file path in a separate config file on the app nachine
  • use permissions to limit access to the config and password files to your process only
  • audit file access if your system allows it (keep a log of who touched the files)
  • give the folders and files innocuous names (/usr/joe/kittens.txt?)
  • block physical access to the computer(s) (offsite hosting, or locked closet, or something)
Ray  2010-04-18 22:32:16
A: 

From the question is seems you must store the password such that it can be read and used in an automated transaction with another site so you could encrypt the password and store it encrypted in the file then decrypt it using a key stored elsewhere in your system before using it. This makes it difficult for someone that gets access to the file from using the password as they now have to find the key and encryption algorithm used so they can decrypt it.

As defense in depth is always better than one strong defense that fails when breached, I would also secure the file containing the password rather than the password itself, configure your webserver such that there is no way it can serve the file containing the password and try to set the process that needs the file to run under a separate account so that you can restrict access to the file just to the account that runs the process and an admin account.

Neal  2010-04-18 22:36:20
+1 for encrypting the password within the file, and decrypting when used - I should have included this in the list in my answer.
Ray  2010-04-18 22:38:53
Can you tell me which method you would use to encrypt the password so that I can then also decrypt it when needed? Thanks!
Eric  2010-04-18 22:42:48
-1 this is not a problem that cryptography solves. The attacker will be able to obtain the key as easily as the password that its trying to protect. This is a job for file privilege and user access control.
Rook  2010-04-19 02:26:13
Agree with @Rook - this is not a secure solution. If you are encrypted passwords are compromised, getting the key is easy. File system protection won't help, because whatever you do, the webserver needs access to the password. If the webserver has access, so does a potential attacker.
sri  2010-04-19 03:09:44
I upvoted this answer because I think it is a valuable part of a defense in depth strategy. If the encryption key is stored in a different place than the password file, and both are in a different place than the process which uses them, an attacker has more steps to take before causing any damage.
Ray  2010-04-19 11:38:00
@TheRook / @Sri There is no *one* solution to this problem, however by encrypting the password you make it such that an attacker must find more than 1 piece of the puzzle. As noted in the second paragraph my recommendations also encompassed the use of UAC (and I probably should have noted this would be my preferred approach if only 1 were selected).
Neal  2010-04-20 23:28:13
@Eric Any encryption algorithm that your crypto libraries support, so long as it is an encryption algorithm and not a hashing algorithm.
Neal  2010-04-20 23:30:12
@sri not a complete solution, but the file should only be accessible by the application `chmod 500`.
Rook  2010-04-21 05:07:12

related questions

grep a file, but show several surrounding lines?
VMWare Server Under Linux Secondary NIC connection
Should I move from C++ to Python? ... Or another language?
Globus Toolkit virtual machine
How to avoid redefining VERSION, PACKAGE, etc.
How do I setup Public-Key Authentication?
showing a message box from a bash script in linux
Best Linux Distro for Computer Repair
Mapping my custom keys in Debian
Any IcedTea war stories?
How do you find the age of a long-running Linux process?
Personal Linux web server
Programmatically talking to a Serial Port in OS X or Linux
what's in your .bashrc ?
Linux - files and scripts that execute on boot
Text Editor For Linux (Besides Vi)?
Lightweight IDE for Linux
Shell scripting input redirection oddities
XML Editing/Viewing Software
What should a longtime Windows user know when starting to use Linux?
Gtk SSH client for Linux?
Getting root permissions on a file inside of vi?
Is it possible to drag windows between workspaces when using Compiz?
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?