Databases
StackOverflow2013
Postsdbo
POSecurely storing user credentials in DB, for PHP web application
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POSecurely storing user credentials in DB, for PHP web application
    text
    copied!<p>I have a built a web application that now has a requirement of storing user credentials for access to another system. (As much as I would like to <em>not</em> do this, unfortunately I have no choice in the matter.)</p> <p>My web application interfaces with a Windows domain controller over LDAP to verify user accounts. So, when the user logs into my application, the application checks LDAP to make sure they are a valid user and their password is correct. Once authenticated, the users' miscellaneous data is loaded from a MySQL database.</p> <p>Now, I need to store a username and password for this other system in this database somehow, and I am exploring the most secure way to do it.</p> <p>One method I have considered was encrypting the credentials for this other system using the users' domain password (as verified by LDAP) as the encryption key. This way if someone did get the database somehow, it wouldn't be of much use as each record would be encrypted with a different (hopefully anyway) key, and that key wouldn't be present in the web application itself anywhere. The problem with this method is that when the user changes their password, the saved credentials for the other system are no longer valid. I would then have to prompt again for the other system credentials. I am not opposed to doing this, provided that there isn't another method.</p> <p>Any thoughts? Thank you for your time.</p> <p><strong>Edit:</strong> Something else I just thought of was encrypting based on some other data exposed for LDAP. One value that looks promising (and also probably insecure to anyone on the domain) is the <code>objectGUID</code>, which I assume is the GUID for the account. I might use this the encryption key. Is this easy to find by domain users or others?</p> <p><strong>Edit #2:</strong> I have found that any domain users can easily look up the GUID via LDAP, so I have decided that method is out. I may have to encrypt based on the user password, unless there are other recommendations.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload