I'm developing a mail client in PHP for a customer, and they want the ability to handle all of their various email accounts from this single client.
The user should not have to type all passwords every time he wants to use the service, and thats my problem. Is there a way to retrieve and send mail through Gmail without entering the password to the mail account? Is there some other way? Or must I save the passwords in my database with some encryption and decrypt it with a "hidden" key?
https://developers.google.com/google-apps/gmail/ Read the OAuth section.
OAuth gives you a token, instead of a password. Even if the user changes his gmail password, said token would allow you to access his inbox and such.
As for Hotmail... i think no OAuth API is out there, sadly.
Read this just in case:
http://msdn.microsoft.com/en-us/library/live/hh826535
Authentication with the email server will need you pass the password, so you are right about the crypt and decrypt mechanism (a cipher) for storing it in the database of your application. That will prevent email passwords be readable if someone gets your data, but you will need to be carefoul in how application stores the key to decrypt. Here are some extensions in PHP for ciphers http://www.php.net/manual/en/refs.crypto.php
Related
Let's say I have a MySQL database with thousands of user accounts in it. These accounts contain lots of data, but for verification purposes, they each contain a username and a (hashed and salted) password. Now, when a user requests signing in, I will take a username and password from them, transfer it via WSS to a Node.js server then transfer it via HTTPS to a PHP file on another server. On that server I will look up the username in the MySQL database, and if I find an account, I will hash the password and see if it matches that username's password. If they both match, then I want the PHP file to create a "verification token" of sorts, save it (and associate it with the account verified) and send the token back to the Node.js server. I then want the Node.js server to send that token back to the client and for the client to save that token. Now the next time the user connects to the Node.js server via WSS, I want the client to check for an existing token, and if it exists I want it to send that token via WSS to the Node.js server, the Node.js server to send that via HTTPS to a PHP file, and that PHP file to see what account that token belongs to, and complete the sign in...
So I guess my first question would be: Is this a good model? Would this be a good idea, and would this be secure, or should I do this differently?
My second question is: What would be the best way to go about generating this token? Should it be completely random? Should it be a combination of letters+numbers? Should it be a hash of some random values? How should I go about the generation of this "token"?
To clarify, I'm not asking how to build a server or make requests or transfer data or anything of that sort, I'm merely asking what is the most secure way to generate a "token" that can be used as authentication to the same degree that a username+password can be used.
Thanks in advance! I'm sorry if this is a really stupid question.
I think you are describing a JWT. There are several packages implementing this in PHP.
I have a Web Application that permits user to register though a normal HTML Form, or via Facebook or Google.
The question is what password should I store in the database, because even if the OAuth provider gives me relevant information like email, name, age, etc... It Obviously does not give you a password.
What would be the correct password to store in Database?
I have a few ideas:
Generate a Random one and send it through email (Not very secure)
Add an empty string. (They will never be able to login using a password because on acceptin login request I validate that password should contain more than 5 characters, this sounds like a very hacky way to do it)
Make it compulsory to fill in a password after registering through OAuth provider.
Any Thoughts?
It depends entirely on your application. Is authentication going to run specifically through a 3rd party - i.e. googleAuth?
If it is, there is no need to store a password. If you would also like to handle authentication in your application then give a user an option to sign up with google/facebook or with your application.
I see 3rd party authentication as a better user experience because they don't have to register on another site. With that in mind, if they sign up on your site then require a password, if they choose a 3rd party authentication, don't store a password.
I'm creating an application for Android and iOS where user have to set up an account with a username, password and a mail address for sending there password in case they forgot it. It's a kind of a game, so it will also save their wins and losses in a MySQL-database. So not really personal data (like address or phone number).
The app talks to the MySQL database via PHP-Scripts(JSON and POST http-method).
So in fact that I don't have a lot of security knowledge, I would like to know how to transmit the data secure from the application to the server. Is it save to send the data to the PHP-Script via POST? I use the md5-hash for saving the password in the database.
And how to make sure, that the data was send from a mobile phone with an active account?
Thanks for your help.
"I use the md5-hash for saving the password in the database."
This is bad. Use password_hash() and password_verify() instead of MD5.
"I would like to know how to transmit the data secure from the application to the server."
Serve over HTTPS instead of HTTP. Pin certificates if you're especially paranoid.
"[H]ow to make sure, that the data was send from a mobile phone with an active account?"
There is no way to make absolute sure. Clients can and will lie. Attackers can spoof user agents and defeat any fingerprinting method you can devise.
I have a backboneJS application that communicate with a Restfull API write with Symfony2.
To authenticate the user, an HTTP header (WSSE) is sent to all queries.
The header looks like this:
X-WSSE:UsernameToken Username="foo#goo.com", PasswordDigest="clrGx4hSEyC3zdndd04/51yuee7Q=", Nonce="VURQQWQ0RTBMSGo4enBCN05GSjNuTGhsSjF3PQ==", Created="2014-05-09T15:11:06+02:00"
For generate the passwordDigest, I need to have the user password encrypted. For testing, I have put this password encrypted directly in my frontEnd.
So, for create a générique method and not sent the password encrypted on the network, I need to generate the same password encrypted in my front End.
The User try to connect:
User write is email
Application try to get the salt for this email
User write is password
Application created the same encrypted password that this base
Anyone know how to encrypt the password on the client side (in javascript), with the password (enter by the user) and the salt?
Thank's !
There are various libraries available for encryption on the client side. Forge is a library which implements a few message digest functions in JS, including SHA-1 which is what you seem to be using currently.
I am developing an admin panel for the company I'm working at, and was wondering about something. I want to increase the experience for the employee. I want them to be able to connect to their email by entering the login credentials, and then read the emails inside the admin panel. What I need help with is this:
If I establish an imap_open connection, I need the password in plain text (as far as I know). I can't safely save the password in the database knowing that it would be a catastrophe if a hacker got their hands on the data.
Basically, I want to:
Create an imap_open connection with an ENCRYPTED password. Preferably as bcrypt.
Do any of you know how to do this? I've searched on google, and even seen some other questions on stackoverflow, but I can't seem to find an answer to the question. I would NEVER save the password as plain text. And just using a COOKIE or SESSION seems cumbersome.. for the admin to login to their email all the time, when all I want is for the email to load for the appropriate admin account when logged in.
If I'm understanding correctly, you want to:
store the user's password securely on their machine
use it to connect to the mail server
download email
Storing the user's password in plaintext is clearly a no-no. There are different ways you can handle this. The application could actually request the password from the user, which is an easy but not very convenient solution.
Usually passwords are stored using one-way hashing schemes such as SHA256 or bcrypt, but that means that you can only check whether a password matches them; you can't retrieve the password and send it elsewhere. So you have to turn to symmetric key encryption. You store the encrypted password somewhere (in a database), and when you need it you retrieve it, decrypt it, and send it over your IMAP connection. The problem with encryption is that it relies on a key, which may be compromised at some point, but hashing is not an option if you need to retrieve it.
The other thing to note is the risk in sending the password in cleartext. This is very much taken care of if your server uses SSL.
Yes, of course AUTHENTICATE PLAIN encodes a password. But servers which support admin access allow you to encode the admin's password along with the user's name so you can access the user's account.
$login_str = sprintf("%s\x00%s\x00%s", $user_name,$admin_name,$admin_pwd);
$login_str = encode_base64("$login_str", "");
When you use the encoded string in an AUTHENTICATE PLAIN login you are given access to the user's account. And you don't need the user's password.
If you do this with AUTH PLAIN...
sprintf("%s\x00%s\x00%s", $user_name,$user_name,$user_pwd);
Then you get access to the user's account. But supplying admin credentials seems to do what the OP wants to do without storing passwords.
If your IMAP server supports admin login via AUTHENTICATE PLAIN then you don't need the user's password to access his mailbox.
Many IMAP servers support this, for example Dovecot, CommuniGate, Zimbra, to name three off the top of my head.