问题
I'm running a web service on Django. Users register to my system and provide me login details (username and password) for a 3rd party web service).
My purpose is to store this details in the best and safest way. Unfortunately my service needs this data for some offline scripts that query the 3rd party service, so I cannot store the login/password encrypted with user password (and use it to a key do decipher them.
I read lots of articles on stackoverflow, but most of them (like: What is the best way to store password in database when API call requires sending of password in plain text?) do not need an "offline" access to this data.
The only idea I have is to have these details stored on a very secured server, that only accept request from my django server, and tunnel their communication with tls.
Do you have any other ideas?
Thank you in advance!
回答1:
First and foremost, the other articles are correct: never store passwords in plain text. If you come to the conclusion that you need to store them in plain text, you need to rethink your strategy (Oauth?). The whole reason for using hashed passwords with salts is that even if things go wrong, the passwords are safe (since there are no passwords, only hashes...). I'm actually wondering for what reason exactly you need these third party usernames and passwords?
If you really must store these, use an encrypted file or database field and make it so that whenever your script runs you need to manually enter the decryption password. I assume here that you don't run this script every 5 minutes, but once a week or so. Besides that, make absolutely sure that the server doing this is not doing anything else and has no other local users, otherwise it would be possible to analyze memory for instance and find the decrypted passwords.
In all, I would still say that what you're attempting is very, very dangerous, and you should proceed very carefully...
来源:https://stackoverflow.com/questions/16302827/how-to-securely-store-a-password-for-a-3rd-party-service-in-django