How to store thirdparty passwords without reading them

Question

I need help with a situation I can't get my head around. I need to store a password from a third-party service, and I dont want it to be human-readable.

I came up with a (possibly dumb) solution: my service generates a secret key that encrypts/decrypts the password, and it uses that key to decrypt the password, when access third-party service is needed, and encrypt it when in need to store it.

The question is my solution safe? Is it good or bad? Is there a better approach? Could you please point directions?

Answer 1

Storing retrievable passwords is probably one of the hardest tasks in cryptography. Your application needs to get those passwords plaintext, and the same can do an attacker with enough privileges. There are some common ways to solve this problem though:

1. If the target website offers an authentication service, you can exchange the plaintext password with a token, and store this token (instead of the password) for future requests. The OAuth2 protocol works this way.
2. You can request a master password every time the user starts your application. This master password is used to encrypt the website passwords, but is never stored itself, only kept in memory as long as the application runs.
3. Most operating systems offer some kind of key store, in Windows it is called Data Protection API (DPAPI), in Android it's the KeyStore . A key store solves the problem on OS level, that one cannot encrypt a password, without having the master key around (which raises the question of where to store the master key...).

None of the systems above are bullet proof, the application itself has to be able to get the passwords after all. This is why one tries to avoid storing passwords completely (eg storing hashes) if possible.

If you can afford dedicated hardware, you could either out-source the password management to a second server which is not accessible from the internet, or you could think about purchasing a hardware secuity modules .