Timeline for Storing passwords of third party services (web app)
Current License: CC BY-SA 3.0
10 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Mar 5, 2017 at 20:41 | comment | added | MikeSchem | Ah, ok. Yea encrypting on the client side and just storing the encrypted passwords on the server is probably a good idea providing you encrypt correctly. My recommendation would be to find a strong javascript encryption library and use it. Make sure you require a sufficiently complex password and a sufficiently entropic random number generator and you should be fine. | |
| Mar 3, 2017 at 18:21 | comment | added | Maciej Kravchyk | But how could I use 3rd party cookies for authentication on another server? I don't understand the idea. Could you tell more? I guess there would be a way to to log in without passwords. I can make an api on these sites that would programmaticaly log them in, I only need to figure out how to create, store and use authentication tokens for the api. | |
| Mar 3, 2017 at 18:08 | comment | added | xmp125a | @MaciejKrawczyk What about 3rd party cookies? Granted, many people hate them, but these people (including me :) would hate your people-impersonating, password storing scheme even more. | |
| Mar 3, 2017 at 18:06 | comment | added | Maciej Kravchyk | Or maybe if going the file way, the file would be encrypted password list and the main password would be used decrypt the file. That way user would know he has his passwords and they are securely encrypted on his computer. | |
| Mar 3, 2017 at 18:03 | comment | added | Maciej Kravchyk | That's why I also asked about encryption, how could I make it more secure. And I would require passwords to be at least 16 characters. I don't know, maybe another, less convenient way would be to give users private keys. They would have to upload them every time they'd like to access passwords database. | |
| Mar 3, 2017 at 17:58 | comment | added | xmp125a | @MaciejKrawczyk And how do you know that you encrypted e.g. 5 character password in any secure way? | |
| Mar 3, 2017 at 17:56 | comment | added | Maciej Kravchyk | No, that was my point. The data is encrypted and decrypted on the frontend. The server only stores encrypted data, it doesn't decrypt it and encrypt it. Everything happens in user's browser. | |
| Mar 3, 2017 at 17:55 | comment | added | MikeSchem | If they own the server, they will have the encryption key uesd. Then you have to explain to your customers why their multiple accounts you have saved passwords for have been hacked. | |
| Mar 3, 2017 at 17:52 | comment | added | Maciej Kravchyk | But if the encryption is strong, how the attacker could ever decrypt the data without having the password? | |
| Mar 3, 2017 at 17:49 | history | answered | MikeSchem | CC BY-SA 3.0 |