0

If you have a website that need to store user's credentials for other sites, how do you store those credentials securely? An example is Mint.com where you give them your username/password for your bank accounts. Based on this quora answer, Mint.com uses a combination of software and specialized hardware which doesn't sound cheap or easy to build. What are some simpler pure-software solutions for storing credentials? Are there any open source software that's designed for this?

kefeizhou
  • 101
  • 1
  • http://en.wikipedia.org/wiki/Password_manager – razethestray Nov 29 '13 at 21:32
  • 1
    If I understand you correctly, you're asking about what broad programming method would be used. That is a question for Stackoverflow, and you should specify your programming language to keep the answer manageable. – scuzzy-delta Nov 30 '13 at 03:39

3 Answers3

0

Short answer: Carefully structured reversible encryption. Long answer: The question doesn't contain enough information for anyone to provide a long answer. State the web app environment at least.

scuzzy-delta
  • 9,303
  • 3
  • 33
  • 54
0

Stringent key control, regular and heavy pen-testing, and LOTS of audit logs, probably with a team to review them.

This is not a matter of "just throw it in PGP and call it a day", but requires a lot of design work. Its also a good plan to notify and work with the places you're storing passwords for, to see if you can use them once and generate read-only tokens for access, or some other form of restricted access. And follow best practices as much as possible, to prevent the breaking of one password to allow access to others.

There is also a heavy operations load - these machines need to be stripped down, hardened, and as far away from the rest of your infrastructure as you can manage, to prevent attacks from hopping over.

Ryan Gooler
  • 759
  • 4
  • 9
0

As per comment, I think this covers a lot of the same ground as a previous question - sorry but you really don't want to store passwords like mint.com do.

As per discussion elsewhere, there appears to be a discrepancy between what they assert and what they practice. And there's basic security stuff they still have not implemented on their site.

Please aim higher.

symcbean
  • 18,418
  • 40
  • 74