Geek Answers Handbook

Is it safe to store passwords for other sites?

My university has a portal that students use to register for classes. If you want to get into a full-fledged class, you must continue to check the portal and register when the class has an opening.

I wrote a tool that can check for openings and register automatically, but this requires a name and password for university students. These passwords are tied to email accounts, network resources, servers, and most other university services.

Is there any way to do this safely?

+4
source share
5 answers

Unfortunately, this is really not possible - at least not the way you want to do it if the university does not provide a key-based authentication API. You can always ask them nicely, but they are likely to be too busy to help. If you provide your users with full disclosure of information and ensure the security of your server, this should be enough.

In fact, there is one way to do this over the Internet without saving passwords - you can use a Java or Flash application. Unfortunately, your users need to leave the browser open while the application does its work, but in this way you will not need to store information.

+1
source

In security, the most important thing is the threat model . What attack are you afraid of?

  • someone can steal the computer that runs this program: put the computer in a locked room.
  • someone can hack into a computer and read it from memory: use firewalls and other protection against remote attacks.
  • other users can read the hard drive on which the password is stored: only store the password in memory (which would require re-entering it every time the program starts)
  • super user can read the password even if it is in memory: run the program only on the computer where you trust the super user.

and etc.

+3
source

You can encrypt password strings when saving them and then decrypt them when you need to try logging in. Just create a symmetric key and use it to encrypt and decrypt passwords for storage and retrieval (respectively).

0
source

You cannot fully protect them, because you will need to encrypt and decrypt, so one-way hash algorithms such as MD5, SHA-1, SHA-2 will not be sufficient. You could learn something like DES or Triple-DES.

0
source

I do not think so. Martin noted that one-way encryption will not do this for you. It will also create a nightmare for you to service - each time the user changes the password, you will have to update your data.

I think that in order for you to really work, you need to change the design: find a way to register without a user password, that is, talk to the owners of the application if they provide you with an account through which you can register on behalf of someone else

0
source

More articles:


All Articles