In our app, users give us sensitive information (credentials for logging into a third party site). At some point, we need those credentials in cleartext in order to access the third party site, but while they''re in our database, we want to make best effort for protecting them. What techniques have people used for this? I find myself asking "WWMD (What Would Mint.com Do?) -- any suggestions? - ff -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
On Mon, Mar 7, 2011 at 12:44 PM, Fearless Fool <lists-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> wrote:> In our app, users give us sensitive information (credentials for > logging into a third party site). At some point, we need those > credentials in cleartext in order to access the third party site, but > while they''re in our database, we want to make best effort for > protecting them. > > What techniques have people used for this? I find myself asking "WWMD > (What Would Mint.com Do?) -- any suggestions?You might find the ezcrypto gem helpful. HTH, Bill -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
On Mar 7, 1:44 pm, Fearless Fool <li...-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> wrote:> In our app, users give us sensitive information (credentials for > logging into a third party site). At some point, we need those > credentials in cleartext in order to access the third party site, but > while they''re in our database, we want to make best effort for > protecting them. > > What techniques have people used for this? I find myself asking "WWMD > (What Would Mint.com Do?) -- any suggestions? >I''ve used Strongbox (https://github.com/spikex/strongbox) to protect sensitive data before, but that was for an application where the private key password wasn''t stored on the server at all (requests for the data were user-initiated and prompted for the password). Your case sounds like it might be considerably more automated, which substantially weakens the protection of 99% of systems - if you''re storing the keys with the data, then an attack which gets one will likely get the other. --Matt Jones -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.