I''ve been kind of stumped on this one lately . . . I''m planning on adding syncing and interfacing in my application to a couple other web apps through their API''s (specifically Basecamp and del.icio.us). How can I store users'' login credentials to these other services securely? Obviously a regular MD5 or SHA1 hash wont work, because I need to be able to retrieve the full password to send to these services. Any ideas? --AQ {0}~--------------------------------- Aaron Quint aaron-9QXZP/q+QCpBDgjK7y7TUQ@public.gmane.org http://www.quirkey.com --------------------------------------- --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
scott-mv9nzzu5k9jSUeElwK9/Pw@public.gmane.org
2006-Sep-19 16:57 UTC
Re: Storing login info for other services/applications
Yeah, fundamentally there''s no really secure way to do it. To avoid storing clear-text passwords, you can use a 2-way (reversible) encryption function to store the foreign password. Basically encrypt the password to save it, then decrypt it when you need to use it. The problem is that if your app can decrypt the password, then so can an attacker. You can add salt to the encryption, but it will still be possible to break the encryption, especially if the attacker can get access to your code. One approach is the "key store" approach used by common password vault systems. Here you encrypt the passwords using a "master password" given to you by the user. The trick is that you NEVER store this password. Instead, you ask the user for it whenever you need to decrypt and use on of the stored passwords. This should be pretty secure, but obviously at the disadvantage of requiring the user to type in the master password frequently. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
I figured there was no easy solution. What about using the database stored hash of the users password as the salt for encryption? This way every users salt is different, and a little more secure. The problem with using the "key store" approach is that if the user is constantly entering a password, there''s no real advantage to storing the passwords at all . . . Is there an easy way to do salted two way encryption in Ruby? What types of encryption are two way? Thanks for your help! --AQ {o}~~~~~~~~~~~~~~~~~~~ Aaron Quint aaron-9QXZP/q+QCpBDgjK7y7TUQ@public.gmane.org http://www.quirkey.com On Sep 19, 2006, at 12:57 PM, scott-mv9nzzu5k9jSUeElwK9/Pw@public.gmane.org wrote:> > Yeah, fundamentally there''s no really secure way to do it. To avoid > storing clear-text passwords, you can use a 2-way (reversible) > encryption function to store the foreign password. Basically encrypt > the password to save it, then decrypt it when you need to use it. > > The problem is that if your app can decrypt the password, then so can > an attacker. You can add salt to the encryption, but it will still be > possible to break the encryption, especially if the attacker can get > access to your code. > > One approach is the "key store" approach used by common password vault > systems. Here you encrypt the passwords using a "master password" > given > to you by the user. The trick is that you NEVER store this password. > Instead, you ask the user for it whenever you need to decrypt and use > on of the stored passwords. > > This should be pretty secure, but obviously at the disadvantage of > requiring the user to type in the master password frequently. > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---