November 20th, 2011


Any advice on storing passwords securely?

I'm currently adding Wordpress support to my link poster. And I've hit a hitch with passwords.

LJ's security means you pass the username and MD5(LJChallenge+MD5(Password)) - where LJChallenge is retrieved for each call you make. This means that I can store the MD5 of the user's password rather than storing it in plain text. While I am completely trustworthy, it's nice that I can browse the datastore and check things look ok without accidentally seeing people's passwords.

Wordpress, on the other hand, uses the MetaWeblog API for posting. Which takes the user's password in plain text.

Which means I can't hash the password when it's submitted, I have to store it in a way that I can return it back to its true value when required.

Anyone got any suggestions for what to use for this that's reasonably secure?

(I'm working in Java, which seems to have libraries for just about everything, if that helps.)

Edit: I've submitted a suggestion to DW and LJ to support OAuth. Can't see it happening this week though.

Original post on Dreamwidth - there are comment count unavailable comments there.