Hello - first question on here.
I have a web database application in which I want to store passwords, but I do not like the idea of storing them in plain text. I would like to store an encrypted form of the password, and have users enter a password or key, when they need to view the password.
I can trigger a workflow in the database, which can pass stored or entered text to a URL in the form of URL parameters. For example, in a form in the application, the user sees an encrypted view of the password, and the form has a button, say [Show Password]. When [Show Password] is clicked, the app requests a key or password from the user, and passes it and the encrypted password string to an URL, where it is decrypted. The password is then shown, say in a popup.
I have a feeling that it might be more secure to use a client-side program, say javascript, which does the decrypt work.
The most basic form of this would be to have a key that is shared amongst users. That too is not very secure because of course people will share the key with someone they are not supposed to. Ultimately it would be great to use some kind of "what you have" 2-factor authentication, where the system requests a one-time-password that you enter via a Yubikey or a system like Duo-Security.
So my question is, does anyone on here have experience in these matters, to give me some general direction? Appreciate any advice, thank you in advance.
Sincerely,
Rick
The process you should consider is using a one way encryption, I.e. the user submits the plaintext password that is passed over a secure connection, within your app or on the database you use the encrypted password as the key to encrypt the plain text the user provided. If they encrypted and the store match, the user
'Encrypted','password' with the result being 'Encrypted'. User authenticated/authorized.
If the user forgets their password, you would use forgot password where the user will need to provide info to validate their identity and send them a link that will let them set a new password. This way you eliminate the need to maintain a key and a password since you may still run into the situation that the user forgot their password and forgot their key which gets you back to the same point of how to get the user to verify their identity and the process you would need to include to reset/create a new set of as sword/key.