C
C
Crash XD2019-04-05 13:17:20
PHP
Crash XD, 2019-04-05 13:17:20

How to encrypt and how to store passwords in the database that will need to be displayed in the frontend?

Almost zero in cryptography, but there is a task that needs to be solved.
There is a working project (site on Laravel), where you need to organize a module for sharing passwords to a group of users.
For example, user1 has a password. He shares it with user2. And they both get access to it (they see the decrypted password).
As far as I understand, asymmetric encryption has a public and private key. For access to the password by only one user, it would be possible to store the public key on the server, and the private key (maybe in the form of a master password) would be entered by the user himself for decryption.
But with a group of users, I can’t figure out how to organize it, it’s more or less safe.
What are the options, how to encrypt, store the keys and the encrypted passwords themselves, so that both users can see the decrypted password in their personal account?
In which direction to dig? Maybe I'm missing something and the answer lies on the surface?

Answer the question

In order to leave comments, you need to log in

5 answer(s)
S
sim3x, 2019-04-05
@crashxd

The only sane option is when users have their own keys and exchange them with each other
Your service only transmits the encrypted text, and users decrypt everything in their gpg

S
Saboteur, 2019-04-05
@saboteur_kiev

But because the whole ideology of working with passwords does not imply that they should be stored and even more so be visible to anyone.
Why do you need exactly one resource password to distribute to different users?
Why not give different users with different passwords to one desired resource?

A
Andrey, 2019-04-05
@VladimirAndreev

But still, do you need to show the password, or give the opportunity to enter with a password?
if you enter, then the password does not need to be shown in decrypted form)

A
abmanimenja, 2019-04-05
@abmanimenja

This is a potentially huge security hole.
In particular, it is not so easy to revoke the password for one user when more than one user has access to the password (you will have to change it, which will affect all users, they will have to take the password again)
However, if everything is not critical for you, then you can.
And in serious cases, tokens are used (with a limited lifetime), for example. Or one-time passwords.
And tools for managing them, for example:
https://habr.com/ru/post/306812/
https://blog.amet13.name/2018/07/hashicorp-vault-o...

I
Immortal_pony, 2019-04-05
@Immortal_pony

Store the password encrypted with AES256 on the server.
If the user has the right to receive this password, decrypt it and give it back.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question