Best Practices to store passwords, userid
74 views
Skip to first unread message
Jimboidaho
Mar 23, 2012, 11:39:30 AM3/23/12
to professi...@googlegroups.com
As I am using more web services it seems that I am having to store more user ids and passwords in my ini file. My ini file is buried in my app files to there is no direct path from my web site but they are wide open if my server was hacked. I have thought about encrypting the values but I would still need a key to decrypt and the key could be found in my code. So back to my question, how do you guys do this?
Thanks.
Thanks.
Robert Gonzalez
Mar 24, 2012, 1:07:38 PM3/24/12
to professi...@googlegroups.com
This is why oAuth is becoming a more widely accepted form of cross site authentication. You simply store a token as opposed to a username and password. That token is used on a per request basis and allows you to not have to worry about your users' passwords ever. That said...
--
In your case you could use something like blowfish or the built-in PHP encryption functions. But like you said, if your server is ever compromised then so would your encryption methodologies. Still, something to consider is the likelihood of server compromise and the likelihood that the information you store on your server being the subject of theft and/or subsequent abuse. If that's the case you could always set up a second store house on another server (or even on your server under a different domain) and make an API call of your own to your own storehouse to request the information you seek, making sure the enforce your own security policies as part of the request (like IP, hostname, hashes of system defined files/strings, etc). Just an idea for you. Not saying this is a preferred way, or even a recommended way, of handling your situation.
On Fri, Mar 23, 2012 at 8:39 AM, Jimboidaho <jimbo...@gmail.com> wrote:
As I am using more web services it seems that I am having to store more user ids and passwords in my ini file. My ini file is buried in my app files to there is no direct path from my web site but they are wide open if my server was hacked. I have thought about encrypting the values but I would still need a key to decrypt and the key could be found in my code. So back to my question, how do you guys do this?
Thanks.
--
This group is managed and maintained by the development staff at 360 PSG. An enterprise application development company utilizing open-source technologies for todays small-to-medium size businesses.
For information or project assistance please visit :
http://www.360psg.com
You received this message because you are subscribed to the Google Groups "Professional PHP Developers" group.
To post to this group, send email to Professi...@googlegroups.com
To unsubscribe from this group, send email to Professional-P...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/Professional-PHP
Robert Gonzalez
ashore
Mar 26, 2012, 2:03:05 AM3/26/12
to Professional PHP Developers
Why won't storing the password hash do it for you? AS
Jimboidaho
Mar 26, 2012, 1:50:54 PM3/26/12
to professi...@googlegroups.com
Thanks Robert. The second server is interesting to me since I will soon be moving my database server to another computer.
On Saturday, March 24, 2012 11:07:38 AM UTC-6, Robert Gonzalez wrote:
On Saturday, March 24, 2012 11:07:38 AM UTC-6, Robert Gonzalez wrote:
This is why oAuth is becoming a more widely accepted form of cross site authentication. You simply store a token as opposed to a username and password. That token is used on a per request basis and allows you to not have to worry about your users' passwords ever. That said...
In your case you could use something like blowfish or the built-in PHP encryption functions. But like you said, if your server is ever compromised then so would your encryption methodologies. Still, something to consider is the likelihood of server compromise and the likelihood that the information you store on your server being the subject of theft and/or subsequent abuse. If that's the case you could always set up a second store house on another server (or even on your server under a different domain) and make an API call of your own to your own storehouse to request the information you seek, making sure the enforce your own security policies as part of the request (like IP, hostname, hashes of system defined files/strings, etc). Just an idea for you. Not saying this is a preferred way, or even a recommended way, of handling your situation.
On Fri, Mar 23, 2012 at 8:39 AM, Jimboidaho <jimbo...@gmail.com> wrote:
As I am using more web services it seems that I am having to store more user ids and passwords in my ini file. My ini file is buried in my app files to there is no direct path from my web site but they are wide open if my server was hacked. I have thought about encrypting the values but I would still need a key to decrypt and the key could be found in my code. So back to my question, how do you guys do this?
Thanks.
--
This group is managed and maintained by the development staff at 360 PSG. An enterprise application development company utilizing open-source technologies for todays small-to-medium size businesses.
For information or project assistance please visit :
http://www.360psg.com
You received this message because you are subscribed to the Google Groups "Professional PHP Developers" group.
To post to this group, send email to Professional-PHP@googlegroups.com
To unsubscribe from this group, send email to Professional-PHP-unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/Professional-PHP
Jim Blackburn
Mar 26, 2012, 4:10:03 PM3/26/12
to professi...@googlegroups.com
The web services have their own requirements. I can't send hash passwords.
Sent from my ASUS Eee Pad
Sent from my ASUS Eee Pad
ashore <sho...@gmail.com> wrote:
>Why won't storing the password hash do it for you? AS
>
>On Mar 23, 11:39 am, Jimboidaho <jimboid...@gmail.com> wrote:
>> As I am using more web services it seems that I am having to store more
>> user ids and passwords in my ini file. My ini file is buried in my app
>> files to there is no direct path from my web site but they are wide open if
>> my server was hacked. I have thought about encrypting the values but I
>> would still need a key to decrypt and the key could be found in my code.
>> So back to my question, how do you guys do this?
>>
>> Thanks.
>
>--
>This group is managed and maintained by the development staff at 360 PSG. An enterprise application development company utilizing open-source technologies for todays small-to-medium size businesses.
>
>For information or project assistance please visit :
>http://www.360psg.com
>
>You received this message because you are subscribed to the Google Groups "Professional PHP Developers" group.
>To post to this group, send email to Professi...@googlegroups.com
>To unsubscribe from this group, send email to Professional-P...@googlegroups.com
Jolly
Mar 3, 2013, 4:51:27 PM3/3/13
to professi...@googlegroups.com
Why don't you try www.customauth.com? It supports facebook and linkedin token storage along with native authentication and authorization.
Reply all
Reply to author
Forward
0 new messages