1

I'm writing an application which has a function where it logs into another website to scrape details, based on what is there for the specific user.

They don't have an API at all, so I'm having to do it the dirty way with cURL and their email/password.

What would be the best way to do this? Storing plain-text passwords is out of the question because - a: I care about the security, b: its a commercial product, and c: the website is for a ticketing website so means the accounts can have thousands, if not 6 digits worth waiting to be paid out at a time.

I am using this library: https://github.com/defuse/php-encryption/releases for two-way encryption.

I don't want to encrypt it against the password or email account, because they can change. I don't want to encrypt it against the user id because it would be far too simple if we were ever attacked.

Is it worth creating a hash table specifically for this and just throw a randomised hash in or just encrypting it against another value? Again though, a hashing table would just make it blatantly obvious.

How do you all deal with this?

Thanks

DLipscombe
  • 11
  • 2
  • To note: you can't use a hash, because cryptographic hashes are designed to not be reversible, and you need to reverse back to the password. – Xiong Chiamiov Feb 14 '17 at 00:36
  • When I say hash I mean a hash-style key. I don't think this is a duplicate either, but I could be wrong! – DLipscombe Feb 14 '17 at 00:38
  • Other possible duplicates: [Storing third party auth info; Is this secure?](http://security.stackexchange.com/q/51808/16960), [Is this a good scheme for storing encrypted user credentials?](http://security.stackexchange.com/q/122767/16960), [Good way of storing lots of third-party passwords](http://security.stackexchange.com/q/110046/16960). – Xiong Chiamiov Feb 14 '17 at 00:39

0 Answers0