I'm working on a WordPress plugin. This plugin uses password encryption, and uses a secret key and IV key.
Can I show these keys to the administrator or is that insecure? What can happen when someone sees the secret key?
Asked
Active
Viewed 139 times
-2
-
2Administrators are usually thought of as trusted but that will depend on who they work for and how much you trust them. What is the nature of the password you are encrypting? I'm assuming it's not an end-user password (which should be hashed, not encrypted). – John Wu Sep 11 '16 at 19:07
-
3Sounds like you are using a static IV. IVs arent secret but they should never be reused. They should be randomly generated each time. You should fix this if you want things to be secure. – Luke Park Sep 11 '16 at 19:11
-
"I'm working on..." does that mean that you are creating a plugin, or using one that has already been created? If you are creating your own, I apologise, but you are going to get a flood of people telling you to do things very differently, and that's not going to answer your question about trust. – schroeder Sep 11 '16 at 20:22
1 Answers
5
The first question is, for the love of $DEITY, why are you using password encryption? Passwords should be passed through a secure and slow key derivation function, something like PBKDF2 or scrypt, and should never be stored reversibly encrypted. Using reversibly encrypted passwords is already insecure!
Actually, the zeroth question is, why are you reinventing the wheel? If you don't know enough about how to do authentication or encryption that you are asking a question like this, and calling an IV a "key", then you really shouldn't be trying to roll your own authentication system. Just use one of the existing ones written by somebody who knows what they're doing. You'll save time, your users (and admins!) will be safer, and you'll avoid contributing to the cesspool of terrible WP plugins that lead to site after site getting compromised and leaking all their user details including passwords all the time.
If, for some legitimate reason (which I'd put it at 90% confidence you don't have), you actually need to store passwords reversibly encrypted, you're still doing all kinds of things wrong. Don't use a static IV; use a unique IV per password (thus, as with a salt in any half-decent authentication scheme, two users whose passwords match won't have the same encrypted password string). Definitely don't put any avenue (even one intended only for admins) that shows the encryption key for any user at any time for any reason. Don't show the IV, either. For that matter, don't show the password, even in encrypted form. Any time you add dangerous functionality like that, you make it that much easier for an attacker to compromise your site or leak all your user credentials.
If you absolutely must do such terrible things (and I'm using "must* in the sense of "it's in the contract, and if I don't do it exactly that way I don't get paid, and there's nobody I can talk to about what a terrible idea this is"), you still shouldn't do it yourself. Use an existing module written by somebody else, or get somebody who is much more familiar with web application security than you are to write yours.
It's probably hopeless to make it actually secure at this point (unless you know way more about web app security than it sounds like you do; for a basic test, if I say "CSRF", do you know what I mean without looking it up?) but there's nowhere near enough space in a StackOverflow answer to explain all the things you'd need to know to do that. OWASP is a decent place to start educating yourself about that. Here's their page on password storage.
CBHacking
- 48,401
- 3
- 90
- 130
-
1TLDR: Get someone who knows what they are doing to rewrite your authentication system, it sounds very broken. – Luke Park Sep 11 '16 at 19:21