Best Password Storing/Retrieval Method

[carlosmoreeira]

Hello I am trying to create a password storing application, but cannot figure out the best way to store account passwords. 

 

The application wont store just user passwords to login, but passwords for other accounts. For example Client wants to be able to store all their Facebook and twitter passwords on the site, then log in when they want to find it. 

 

I was going to make it so the admin needed repeat their password they used to login to the application to retrieve another password, all of this is no problem, its just encrypting the passwords and being able to "un-encrypt" it later so they can see it. 

 

Any help would be appreciated, the person doesn't really care if its secure, they just want me to store the strings in the Database to be retrieved later, but I want to make it secure. 

 

Thank you

 

 

[.josh]

oh dear.. i wouldn't touch that liability with a 100ft pole.. there are plenty of "universal pw storage" programs out there that are on the client's computer, and that's where it should be. I guess the only "help" that statement offers is I'd strongly recommend you try your very hardest to push back on this or otherwise remove yourself from it.. cuz.. that is a huge liability.

[requinix]

the person doesn't really care if its secure

Your client is stupid.

[carlosmoreeira]

oh dear.. i wouldn't touch that liability with a 100ft pole.. there are plenty of "universal pw storage" programs out there that are on the client's computer, and that's where it should be. I guess the only "help" that statement offers is I'd strongly recommend you try your very hardest to push back on this or otherwise remove yourself from it.. cuz.. that is a huge liability.

 

I had a feeling someone would say that, as I am trying to push it back myself lol. 

 

I just wanted to see what were the best options. I don't want them to pay someone overseas and and have absolutely no security in it at all. I have told them its a huge risk, so the contract will protect me if anything happens. 

[carlosmoreeira]

Your client is stupid.

 

If I only had a quarter for the amount of times I've said that to myself. 

[.josh]

I just wanted to see what were the best options. I don't want them to pay someone overseas and and have absolutely no security in it at all. I have told them its a huge risk, so the contract will protect me if anything happens.

man.. again.. take it for what it's worth.. but I have a sneaking suspicion no amount of words in a contract will be bulletproof against the hordes of angry lawyers released on you by angry social media sites and other big name businesses if whatever you do is hacked. If it were me, I'd tell them hell no I'm not doing it, even if it cost me my job. I know that's a lot easier to say when I'm not in your position, but I just couldn't take that risk regardless.

[.josh]

In any case, if you are somehow confident or are otherwise not deterred by any liabilities you may impose on yourself.. use password. If the server is not on php v5.5.0+ yet, there is an alternative. If you still don't meet the php v5.3 req for that, then.. I mean if you're really really confident in not being held liable..lol just md5 or sha1 it up.

[.josh]

actually wait.. you said you need to be able to decrypt it to show plaintext version.. so mcrypt functions are as good as any.. This comment has an easy straight-forward class for it. I guess.. your funeral.