asked on
Hello - first question on here.
I have a web database application in which I want to store passwords, but I do not like the idea of storing them in plain text. I would like to store an encrypted form of the password, and have users enter a password or key, when they need to view the password.
I can trigger a workflow in the database, which can pass stored or entered text to a URL in the form of URL parameters. For example, in a form in the application, the user sees an encrypted view of the password, and the form has a button, say [Show Password]. When [Show Password] is clicked, the app requests a key or password from the user, and passes it and the encrypted password string to an URL, where it is decrypted. The password is then shown, say in a popup.
I have a feeling that it might be more secure to use a client-side program, say javascript, which does the decrypt work.
The most basic form of this would be to have a key that is shared amongst users. That too is not very secure because of course people will share the key with someone they are not supposed to. Ultimately it would be great to use some kind of "what you have" 2-factor authentication, where the system requests a one-time-password that you enter via a Yubikey or a system like Duo-Security.
So my question is, does anyone on here have experience in these matters, to give me some general direction? Appreciate any advice, thank you in advance.
Sincerely,
Rick
I have a web database application in which I want to store passwords, but I do not like the idea of storing them in plain text. I would like to store an encrypted form of the password, and have users enter a password or key, when they need to view the password.
I can trigger a workflow in the database, which can pass stored or entered text to a URL in the form of URL parameters. For example, in a form in the application, the user sees an encrypted view of the password, and the form has a button, say [Show Password]. When [Show Password] is clicked, the app requests a key or password from the user, and passes it and the encrypted password string to an URL, where it is decrypted. The password is then shown, say in a popup.
I have a feeling that it might be more secure to use a client-side program, say javascript, which does the decrypt work.
The most basic form of this would be to have a key that is shared amongst users. That too is not very secure because of course people will share the key with someone they are not supposed to. Ultimately it would be great to use some kind of "what you have" 2-factor authentication, where the system requests a one-time-password that you enter via a Yubikey or a system like Duo-Security.
So my question is, does anyone on here have experience in these matters, to give me some general direction? Appreciate any advice, thank you in advance.
Sincerely,
Rick
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 8 Comments.
Learn from the best
Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.
Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 8 Comments.
Try for 7 days”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.