Is this a secure way to get a user's sensitive data?

Question

I need to capture client's passwords for a third party account on a web form.

I have a dedicated server and SSL installed.

My plan was to have the user submit the form to the PHP processing script.

The PHP processing script will encrypt the password using aes-256-ctr and then save it to a randomly generated filename in a write only folder on the server (below the public_html folder).

I will get an alert when a new one is added and will immediately scp the encrypted file to my local machine and delete it from the server.

I can then decrypt the file locally.

How secure is this?

Answer 1

No that is not a secure method of securing the passwords. Security is not gained by keeping the method secret.

If you must save the actual passwords here is one method to reduce the vulnerability:

• Consider using an HSM for encryption the passwords, they are not cheap.

• Store the passwords on a separate server not connected to the Internet.

• Have only a connection to the server that needs the passwords.

• Use a simple API to set, request and delete the passwords.

• Use 2-factor admin authentication and limit the admins to no more than two trusted people.

• Use serial numbered tokens for the 2-factor authentication, not email or text messaging, that way you have positive control of the number of admins.

• Use rate-limiting on the server and provide alerting if the rate is exceeded.

• Hire a cryptographic SME to vet the design and implementation.

• Use 2-factor admin authentication on the Internet connected server.

• Buy liability insurance.

One major security issue is that many of the users will re-use passwords with other systems. Your system will be breached and user information and passwords will be stolen and you will not know that has happened. These user credentials will be used to gain access to users information on other systems. Your liability is potentially huge.

Warning: I am not a SME on this topic.