I’m currently planning the development of a PHP application that shall require user passwords for external services to be stored so that they can be logged into simultaneously when the user logs into my application.
I shall need to store passwords in a secure, i.e. not plain text, and not base64 encoded but that shall also need to be accessible as plain text by the application, one way or another.
I’ve only been able to think of something like the following:
When a user adds their credentials for the external service to their account, they re-enter their password for my application and that (in an encrypted form) is used to ‘encrypt’ the password for the external service somehow, but in a way that makes it accessible still.
Does anyone have any thoughts on if this is possible, or a potential solution?
Thanks
Also: it’s worth noting that it will be an SSL connection that the data is sent over.
Out of curiosity: Say for example; Google Mail, you can add email accounts to your Google Mail account so that all of them are checked. Does anyone have any thoughts on how Google store the passwords for the accounts you add?
The problem with this in general, is if your system is every compromised, the attacker can get all the passwords for all the systems, because they are encrypted and not hashed. There is no way around this, since you want to be able to get the plain-text passwords.
If you must do this, you can use something well trusted like OpenSSL to encrypt the passwords.