Store passwords of external database securely

Question

I am creating a PHP application which can be installed on user's server but the administration is hosted on my server.

I need to store the password, username, db_name, host and port of database of the user. I think I should store in database (MySQL), but I don't know how to do securely.

Can you tell me please how can I store external passwords securely?

Thank you!

Answer 1

You need to have one secure key setup on main server (where database settings are stored) for example the password is b@auty! and on the other machine decrypt function with the same key to decrypt password. Now you can secure any string simply by

   //url encrpytography
    function encrypt($val, $key = 'b@auty!') {
        $keySalt = $key;
        $query = base64_encode(urlencode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, md5($keySalt), $val, MCRYPT_MODE_CBC, md5(md5($keySalt))))); //this line of code encrypt the query string
        return $query;
    }

    function decrypt($val, $key = 'b@auty!') {
        $keySalt = $key; // same as used in encryptLink function
        $queryString = rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, md5($keySalt), urldecode(base64_decode($val)), MCRYPT_MODE_CBC, md5(md5($keySalt))), "\0");   //this line of code decrypt the query string
    //CHECK IF RETURN IS REAL LETTERS
        if (preg_match('/^[a-z0-9 .\-]+$/i', $queryString)) {

        } else {
            $queryString = '';
        }
        return $queryString;
    }

$encrypt = encrypt("string");
echo $encrypt;

$decrypt = decrypt($encrypt);
echo $decrypt

Answer 2

There is obviously more than one way to handle passwords in data stores. If you are very concerned that your password stores are never compromised, I highly recommend you look at this information:

http://www.openwall.com/articles/PHP-Users-Passwords

I always use this methodology now because it's as secure as one can get. It's free, and I have no affiliation with the author or his operation.