Storing login info for other services/applications

I’ve been kind of stumped on this one lately . . .
I’m planning on adding syncing and interfacing in my application to a couple other web apps through their API’s (specifically Basecamp and del.icio.us). How can I store users’ login credentials to these other services securely? Obviously a regular MD5 or SHA1 hash wont work, because I need to be able to retrieve the full password to send to these services.

Any ideas?

–AQ

{0}~---------------------------------

Aaron Quint

aaron@quirkey.com

[http://www.quirkey.com](http://www.quirkey.com)

Yeah, fundamentally there's no really secure way to do it. To avoid
storing clear-text passwords, you can use a 2-way (reversible)
encryption function to store the foreign password. Basically encrypt
the password to save it, then decrypt it when you need to use it.

The problem is that if your app can decrypt the password, then so can
an attacker. You can add salt to the encryption, but it will still be
possible to break the encryption, especially if the attacker can get
access to your code.

One approach is the "key store" approach used by common password vault
systems. Here you encrypt the passwords using a "master password" given
to you by the user. The trick is that you NEVER store this password.
Instead, you ask the user for it whenever you need to decrypt and use
on of the stored passwords.

This should be pretty secure, but obviously at the disadvantage of
requiring the user to type in the master password frequently.

I figured there was no easy solution. What about using the database stored hash of the users password as the salt for encryption? This way every users salt is different, and a little more secure.

The problem with using the “key store” approach is that if the user is constantly entering a password, there’s no real advantage to storing the passwords at all . . .

Is there an easy way to do salted two way encryption in Ruby? What types of encryption are two way?

Thanks for your help!

–AQ

{o}~~~~~~~~~~~~~~~~~~~

Aaron Quint

aaron@quirkey.com

[http://www.quirkey.com](http://www.quirkey.com)