Find solution
What is the best web scraping software for building contact information databases from online directories?

If you create a web-based application, where & how is the safest way to store your databases' login information?

  • What is the safest way to store your databases' password information on your server? And where? And how?

  • Answer:

    You have a few options. First, you could use a third party to do the authentication for you such as OpenID, Twitter, Facebook, etc. Probably best to support as many as possible since you can't know who has an account on which service. Using a third party means you don't need to handle credentials at all. That is a win for you. However, not everyone has social media accounts, so to store the users credentials, you want to store them using a salted . A secure hash function saves the password in a format that is not reversible--IOW, it is not encryption. A secure hash function takes arbitrary length input and outputs a unique, fixed length output (the hash value). Secure has functions have three properties: Given a hash value, you can not recover the input. The same input into a secure hash function will always result in the same output. Given a has value and secure hash algorithm, you can't decrypt the input (which is why secure hashes are NOT encryption). Secure hashes can be reversed (supposedly), but password guessing programs can try various inputs to find the input that matches an output (aka a Dictionary Attack). You use salts, a couple of randomly generated characters appended to the hash value which make pre-computed dictionaries difficult to create and use. Good hashes today are SHA-1, SHA-2 and others. Store your salted hash in your database along with the username and other stuff. If an attacker gets your password database, they will have to run some sort of attack to guess the passwords. You can also make your passwords stronger by forcing the use of mixed characters, symbols, and numbers, maintaining a password history to stop the reuse of passwords on changes, and so on. Find a library or something in your language of choice that will handle authentication for you. Writing good cryptographic routines (and code that uses them) is very hard. Writing bad routines is very easy.

Mike Fratto at Quora Visit the source

Was this solution helpful to you?

Other answers

You're going to have to make your login credentials readable by the user who's running the application, and because of that, the best objective move you can make is to put the credentials in a place where only that user can read them.  Beyond that, you want to keep the credentials in a place where only those people who absolutely need to have access to them do have access to them--which points to putting those credentials in a separate file than other configuration settings for the best security. Going past the objective to the pragmatic, obscurity helps.  Longer passwords, generated by strong-password-generating scripts will also improve your security.  Many database servers now allow for key-based logins, and having a private key file that's readable only by the application user is probably as safe a place as any.

Joe Emison

Related Q & A:

Just Added Q & A:

Find solution

For every problem there is a solution! Proved by Solucija.

  • Got an issue and looking for advice?

  • Ask Solucija to search every corner of the Web for help.

  • Get workable solutions and helpful tips in a moment.

Just ask Solucija about an issue you face and immediately get a list of ready solutions, answers and tips from other Internet users. We always provide the most suitable and complete answer to your question at the top, along with a few good alternatives below.