Encrypt passwords stored in database

[tylerhcarter]

Currently all passwords, except user logins, are stored plaintext in the .sqlite database. This creates a security issue if someone got access to that file through the web server. The same issue is true if it is stored in a MySQL database in the future. Anyone with access can see the passwords.

Ideally, all passwords should be encrypted using a randomly generated key that is unique for each site and stored separately from the database. This will help us on a number of levels:

• Encrypting them on any level protects us against over-the-shoulder attacks when someone has access to the database.
• By storing the key separately from the database, it makes getting access to the database unhelpful because in order to use any of the password information you also need to gain access to the filesystem. (Usually different credentials)
• By randomly generating the key for each WebZash installation, you avoid creating an environment where anyone who looks at the code can figure out what key for each site. Random being the key, as something like $key = md5hash( $website_domain ); would be guessable by anyone who knows the source code.

My suggestion for this is to have the setup routine automatically create a configuration file when it doesn't already exist. We could store it as a file Config/wz-config.php and automatically set seeds. Here's a quick example to prove the concept.

if ( ! file_exists( 'wz-config.php' ) ) {
    $code = '<?php define( "WZ_SECURITY_KEY", "' . get_random_key() . '" ); ?>';
    file_put_contents( 'wz-config.php', $code );
}
include( 'wz-config.php' );

$encrypted_data = some_encrypt_function( WZ_SECURITY_KEY, $secret_data );
$decrypted_data = some_decrypt_function( WZ_SECURITY_KEY, $encrypted_data );

This is quite similar to how WordPress does it, although they provide a sample config file and copy it over. Drupal has a similar mechanism, although its up to you to manually copy it over yourself.

From here, it's a hop-skip-and-a-jump over to defining any other site specific configuration options in a non-core file. Once that wz-config.php file is created, you could just have users drop in constants in order to tweak the behavior of WebZash.

[prashants]

How do I get the password back to connect to database ?

[tylerhcarter]

I'm confused. The whole reason we're using an encryption method instead of a hashing method is so you can just do something like:

$details = get_database_info( $account );
$resource = mysql_connect( ..... some_decrypt_function( WZ_SECURITY_KEY, $details['password'] ), .... );

[prashants]

Got it :)