Reputation: 11
How can I store user name and password securely on a shared server?
I have a simple HTML5/JavaScript site that reads a local (to the app) XML file that contains email account configurations and displays mail from several mail accounts on a single page using a single log on. Essentially, a mail consolidator. Problem is, this site is hosted in the cloud on a shared server that is managed by a web host. I don't want the email account credentials saved in plain text in the configuration file. I'm scratching my head trying to come up with a reasonably secure solution, but have had no luck so far.
I could encrypt the credentials in the XML file, but i can't see how I can implement the key without making the path to decryption evident in the JavaScript code.
I'm not asking for code here as much as help pointing me in the right direction designing a means to accomplish this. How would someone go about making it so some tech at the host can't simply open the files in my site and get access to the email accounts?
Upvotes: 1
Views: 1977
Answers (4)
Reputation: 24081
If i understood you correctly, you need to retrieve the stored passwords, to connect to the managed mail accounts. That means, you cannot use one-way hashing, rather you can only encrypt the data.
Now you face the problem, that the server must be able to decrypt the account infos, and all the server can do, an attacker can do as well. So you need a way, that the server on its own cannot decrypt the data.
One possibility is, that you encrypt all data with a user defined master password. This password should never be stored on the server, let the user enter this password whenever he wants to use the service. Since the account infos can only be decrypted with this password, and the password is not accessible from the server, the account informations should be safe. This also means that a password reset is not possible.
Of course storing account informations is a delicate thing, and i would really think again, if you want the responsibilty of this. There are a lot of things to consider, like SSL, XSS, and a lot more.
Upvotes: 1
Reputation: 25079
You should salt and hash the data you want to encrypt with a SHA256 hash.
New user:
- Validate the password
- Salt and hash the password
- Store the hash in your file
When logging in:
- Hash the password
- Compare hash to hash stored in your file
Here's a link with more details:
http://crackstation.net/hashing-security.htm
Upvotes: 0
Reputation: 2439
Use a server side language like php to do the encrypting and writing. This is probably best achieved using an Ajax call. The user would be able to see the script that was being called, but because php is server side even if they went to that page they wouldn't be able to tell where the XML file was being saved.
You really don't want to be relying on JavaScript to do any of your secure stuff because it's client side and therefore, never secure.
Upvotes: 0
Reputation: 781
If you are worried about "some tech at the hosting company" then start by using a dedicated or virtual server.
But if that is out of your budget then you need to use a database to record user details and encryption for at least the passwords. Don't use JavaScript for any decryption because it can never be secure. Instead use server-side programming languages like ASP, CGI, PHP, etc.
Upvotes: 0
Related Questions
- Sharing client-side-encrypted data securely between users
- Storing Credentials in Local Storage
- Web Authentication - how to securely transfer username/password from the client to the server
- Password storage for authentication
- Cache password in JavaScript for later use, securely
- how to secure my javascript client in which users will fill their passwords
- HTML5 securely store username/password
- How should I send the username and a password to the server?
- Javascript - Best way to encrypt data with password
- How securely store passwords for server side use?