Saturday, 15 April 2017

How to handle passwords storage for later use for my Web project?

I want to build in NodeJS (Node + React + Mongo + Express) a Web aggregator that implies storing several passwords for each user.

To give you an example, imagine a sports betting aggregator where in the same dashboard, my user can see all his latest picks, the money he has on each betting site and so on...

To have this information available, as most of these sites do not have an API, I will have to enter each sports betting site for each user - which requires that they give me their login information.

Please note that my web aggregator would eventually send an email each night with all the gathered info (new balance, lost picks...): so it has to be able to process everything without any user input.

I want this to be ultra-secure since the info on each site is highly sensitive. On each betting site, people will deposit some money and if some hacker enters, he could be able to withdraw that money on his own account. (and obviously a hacker could use that password and try it somewhere else and get some other vulnerable information). So I want to prevent anybody to somehow get the passwords.

What do you think? Should I be afraid that this could happen? Or is it a risk I should assume? When you read about big hacks at LinkedIn or Yahoo, you kind of get afraid that the same would happen...

I thought of different solutions

  1. Store the passwords on the server-side. But I can't hash them completely, since I need to retrieve them periodically and use them to log in to some sites (via my server) to get the needed info. That would not be super secure
  2. Store the passwords via cookies on the client side. The drawback is that I would not be able to have a cron each night sending an email to that user (since the server would not have the credentials to enter each site). And if the person do not accept cookies or erase them, he would need to log in to all services all over again. (And I'm not talking about leaving your session opened, this kind of stuff, or using it from any public place)

What do you think? Are there any other solutions? For the 1st idea, server-side, is there a way to increase the security of my passwords?



via nicolasdaudin

No comments:

Post a Comment