Automated login and password storage
https://stackoverflow.com/questions/3355440
-
02-10-2020 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I wrote a simple PHP script to log into my mobile phone provider's website, check my balance, and send me an email if it's too low. I put the script on a distant server.
It seems that I have to store my password as plaintext in the script to be able to send it to the login page. However, I am a little bit reluctant to do this...
$user="foo";
$password="blah";
Is there a more secure way?
Solution
You cannot secure a system which is capable of logging you in automatically if someone has access to the source. Let's try to prove it.
System Smartis able to log you in without you having to do anything.Mr. Evilhas access to the source ofSystem Smart.System Smartknows what to do to log in as you. (From the first point.)Mr. Evilknows whatSystems Smartknows. (From the second point.)Mr. Evilknows what to do to log in as you. (From the third and fourth points.)Conclusion: This scenario is not secure.
This is proof by contradiction if you start with the hypothesis that the scenario is secure.
Update: But if you want to just make it harder than plain-text then can use a symmetric key.
OTHER TIPS
There are ways to obfuscate it, but ultimately none of those are much safer than plaintext if someone has access to the file - since you also need to decode it there to be able to log in on the provider's site.
The script has the capability to log you in to your provider unattended.
This means that anyone who controls the script will also have this capability, usable by running the script.
Nothing you can do will prevent this. The only solution is to either live with the potential compromise of your password, or to only place the script on a server you control.
If you want to go overboard on it you could set it up in such a way that your password is stored in a mysql database encrypted using aes_encrpyt and then you create another script on another server that makes calls to the server with your password requesting the password by providing the salt for use with the aes_decrypt function.
