Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
S
S
Sergey Savostin2011-11-15 15:46:53
Google Workspace
Sergey Savostin, 2011-11-15 15:46:53

"Remote Hands" and password security

Please tell people who know the direction of digging.

There is an idea to make a service that will perform automatically, without user intervention, certain actions on another, third-party site. Naturally, a third-party site requires authorization by login / password. OAuth is not. Those. To enter the site, you always need a username / password combination. There is also a session key, which, in theory, can be obtained and stored instead of a login / password, but there is a chance that the key will become invalid. Then the user will have to "transition", which is not convenient. Yes, and it will be necessary to maintain this key by constantly “pinging” a third-party service.

Actually the question is - how to organize all this as securely as possible , so that the user feels protected and secures himself as much as possible from theft of client passwords?

So far, I see only a variant with a cunning self-written encryption algorithm (or a “normal” algorithm with a salt hardcoded into the source) compiled into executable code, and the username / password is clearly encrypted in the database.

Once again I will clarify the scheme:
1. The user registers on my service, leaves (?) a login / password from a third-party service
2. The service itself (by cron) logs in for the user on a third-party service, performs actions, writes logs.
3. The client comes to my service, checks the logs.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
G
GavriKos, 2011-11-15
@GavriKos

Usually, how secure the user feels is not much dependent on how and what you encrypt - the user does not see it all. Protect against theft - yes, encryption, salt ...
And a third-party service - one fixed?

Report
S
sajgak, 2011-11-15
@sajgak

if a third-party service does not support open authorization, then only a login with a password. You can of course pervert, but usually the slightest change in the logic of the service, and you have to look for a new way to store data.

Report
S
Sergey Savostin, 2011-11-15
@savostin

What are the recommendations for the encryption method? Say DES_ENCRYPT is fine?

Similar questions
I
IbraimVeli2019-06-13 13:23:55
Can emails be recovered? 1Reply
S
S7772015-01-27 13:08:32
How to set up mail through Google Apps so that letters do not fall into the addressee's spam? 1Reply
A
ander2021-03-09 19:04:56
Your server for unloading mail via pop3 imap to the client? 1Reply
U
Urbansamurai2017-07-06 21:27:21
How to configure Google mail for domain to work with SMTP server from my application (Node JS)? 0Reply
K
kyprijan2020-01-27 14:32:06
How to use Document.evaluate() function from JS in Google Script? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question