Reputation: 5882
How to deal with ftp password in web application in a secure manner
I'm working on a script (PHP+MySQL) that will let you edit file over FTP. What I'm trying to do is when user is logged in and connects to the server I want to memorize ftp password so it can be reused to reconnect to the server transparently (for example when browsing files). I don't want to store raw password in database for security reasons. I was thinking about storing password in a cookie with reference to the connection id in the database. But this doesn't sound secure enough either. How about storing temporary password entry in a database?
Any ideas how to approach this problem?
Upvotes: 2
Views: 290
Answers (1)
Reputation: 3295
You could try an asymmetric key system.
- Generate a public/private pair
- Give the private key to the user
- Use the public key to encrypt the password and store it in the database
- Each time the user does an action, they supply the private key you gave them
- You use the private key to decrypt the password, do the action, and then destroy the private key in memory
Should be more secure then just relying on the server to encrypt/decrypt it on it's own. It's not 100% foolproof (if they root your server, they can sniff the private keys) but it's a good way to prevent a one-sided attack. At least, any old passwords are not vulnerable if you are compromised since the private keys will have been lost.
Edit: As has been pointed out by sarnold, you can also do this with a symmetric key system.
Upvotes: 2
Related Questions
- How to secure database passwords in PHP?
- Local PHP Web App, how to protect the database password
- Securing DB password in php
- Keeping database credentials secure in a PHP application
- How to secure a PHP script?
- Store pass for FTP and secure communication with PHP
- How to secure my data?
- Secure FTP Connection using PHP
- How securely store passwords for server side use?
- Making A Secure Login