Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
anothere642019-01-25 14:55:23
Password storage
anothere64, 2019-01-25 14:55:23

How to transfer the password from the application to the server in encrypted form?

Hello! I am making an instagram bot for my own needs. There is an application on a PC / Smartphone that stores passwords from instagram accounts. In the application, you can also create a task for the bot (likes, subscriptions, etc.). There is a server on which the bot scripts actually work (selenium webdriver + python).
Now it works like this:

  1. A task is created in the application, for example, go to Instagram from a specific account, find a hashtag, put likes.
  2. The task is saved in the database on the server, along with the login and password from the account.
  3. The script on the server automatically, with a certain time interval, performs this task.

So the question is how not to store account passwords on the server? Or somehow transfer them and store them in encrypted form? But how then to perform authorization?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
V
Vladimir Kuts, 2019-01-25
@fox_12

As an option - log in from a mobile application, save the session data (cookies, token, what else does the api give out during authentication ...) and send them to the server so that the server, using this session data, accesses the api.

Report
R
rPman, 2019-01-25
@rPman

I understand you want to protect your passwords from being viewed by the hosting administrator?
In general, no way!
But you can make life much more difficult if, in principle, you don’t store them on the server, but only in RAM, transferring them from your other reliable server or even your computer / mobile phone (in case the main one is restarted).
For example, the simplest thing is to pass all the necessary passwords when starting the bot through the pipe, the bot must stupidly wait at startup for the password to be sent to it through the pipe and only after that work, you can implement an alarm if the password is not received for a long time (for example, send you an SMS), yours a local trusted server can stupidly connect to the server via ssh and send the password via stdin:
The only way for the hosting admin to get this password out is to dig into the server's memory dumps or very cleverly modify the code of the used interpreters, ssh or the linux kernel (and you can control this yourself by setting your versions of the entire used environment up to a full-fledged virtual machine, launching it cascaded). In general, the cost of an attack takes off by orders of magnitude.
ps you can also not store your bot code on the server, but transfer it through pipes

Similar questions
P
Petr Alexandrovich2016-03-06 15:09:21
Is Keepass really that secure? 3Reply
V
Volodymyr S.2014-01-29 11:09:06
What is a good password manager for iOS? 1Reply
T
tiqq2018-10-26 15:28:03
Is it legal that my password is not encrypted? 2Reply
K
Kotovasofa2020-11-05 08:39:12
Where is the best place to store passwords? 2Reply
H
Hosting Yaroslavl2019-02-08 13:10:15
What is the encryption algorithm for FTP passwords in Notepad++? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question