1

I'm working on an integration with an external service that requires per-user authentication, like Facebook for example, but unlike Facebook only allows username+password for this authentication. My basic security background is uncomfortable at the thought that this means I actually need to collect user login credentials for the external service and store them unhashed.

Is there a standard solution to the problem of needing plain-text user passwords available?

TheEnvironmentalist
  • 505
  • 3
  • 10

1 Answers1

1

You should store the passwords encrypted with a modern symmetric encryption algorithm. AES with a 256-bit key is recommended. Be sure to use a well-known and verified implementation of AES. The key must be stored securely as it is used to both encrypt and decrypt the stored passwords.

Also, if the service you're authenticating to requires you to send plaintext passwords over a network, make sure you're using a TLS-secure protocol (e.g. HTTPS).

If the service doesn't support TLS connections, all bets are off and you should seriously consider how useful this service really is (imagine all of the other things they're doing insecurely. Do you pay for this service? I wonder how they store your billing information?).

Dan
  • 208
  • 1
  • 7
  • Using symmetric encryption to store password is a bad practice and should never be used. Just think where would you store the key? – Mr. E Mar 07 '17 at 14:34
  • 1
    @Mr.E Where would you store the key for *any* application of symmetric encryption? It's the same problem whether you're encrypting backups or passwords or anything else. If you have a better idea for the OP's particular situation, feel free to write an answer of your own. I will be sure to upvote if it's better than my suggestion! – Dan Mar 07 '17 at 14:55
  • I don't think it's the same a key for backups or a key for passwords. In the case of passwords the application must be able to use the key to check the password, in the case of the backup the application doesn't need the key as the backup should be managed from outside the application. Also, I don't know if there is a secure solution for this use case, honestly I wouldn't use a service with such requirements, maybe using an HSM is a suitable solution to correctly apply symmetric encryption for passwords but I don't know too much about to recommend it – Mr. E Mar 07 '17 at 15:11
  • 2
    @Mr.E "I wouldn't use a service with such requirements". I agree, hence my last paragraph. That said, if using this service is itself a requirement, then there's not much choice for the OP (assuming this is a work environment and he's being paid to do exactly that). Sometimes you have to compromise your own standards to meet employer or customer requirements; sometimes there just really is no better, feasible alternative. – Dan Mar 08 '17 at 15:34