I need help with a situation I can't get my head around. I need to store a password from a third-party service, and I dont want it to be human-readable.
I came up with a (possibly dumb) solution: my service generates a secret key that encrypts/decrypts the password, and it uses that key to decrypt the password, when access third-party service is needed, and encrypt it when in need to store it.
The question is my solution safe? Is it good or bad? Is there a better approach? Could you please point directions?
Storing retrievable passwords is probably one of the hardest tasks in cryptography. Your application needs to get those passwords plaintext, and the same can do an attacker with enough privileges. There are some common ways to solve this problem though:
None of the systems above are bullet proof, the application itself has to be able to get the passwords after all. This is why one tries to avoid storing passwords completely (eg storing hashes) if possible.
If you can afford dedicated hardware, you could either out-source the password management to a second server which is not accessible from the internet, or you could think about purchasing a hardware secuity modules .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.