Answer the question
In order to leave comments, you need to log in
Storing passwords in the database, is the encryption logic correct and secure?
The client needs a system for storing passwords for different projects, and each password can have one access for different users (this is a necessary, undeniable condition).
In case of theft of the database or project files, the encryption key should not be exposed anywhere.
What if:
We encrypt passwords with one master key.
Each user of the system has its own key, which is used to encrypt the master. Accordingly, each user enters his personal key to access the final password -> the system decrypts the master -> decrypts the password -> issues it to the user of the system. All this is hung with the logic of access rights at the system level.
Point out the flaws in the logic, I'm a layman in data protection)
With this approach, I see a problem if you store the personal key in the session
Answer the question
In order to leave comments, you need to log in
You will also have to store an encrypted master for each user. If the master is in open form in scripts - uploading a shell or reading files through mysqli can lead to sad results...
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question