First of all, I am not lookig for a way to store the passwords of my own site to allow users to log in (which I could easily do using salted hashes of the password).
I am building a personal web page where I would like to be able to check my PayPal balance on the home page. To do that, I need to store my PayPal credentials in a MySQL database, so I can retrieve it later from PHP to log-in in PayPal and scrape my balance. I know I could just leave my credentials on the PHP script, but I want to allow some more users to use this website (each user logs in on his own account registered on my website).
So, what I need is a secure way to store the PayPal passwords on my server and not being saved in plain text. I do not know much about encryption, so I would like to ask which is the best way to make this.
I am not sure if this question should go on programmers site or it is right here; sorry if I did wrong.
Thanks.
The appropriate answer is "Do not do this".
To answer your second question:
How does Google Wallet or Paypal store your Credit Cards security
number and details
You can start by reading about PCI Compliance with the very fun page of fees.
Just because no answer show's PayPal's opinion on the matter:
1.3 App ID and API Credentials. PayPal will provide you a unique confidential identification code, certificate and App ID that enable you to use the Developer’s Tools. PayPal may also provide you with API Credentials for testing and/or production. PayPal may immediately terminate or revoke your App ID and/or API Credentials for any reason in PayPal’s sole discretion. You may not sell, transfer, sublicense, or disclose your App ID, API Credentials or other PayPal Account credentials to any third party, other than a service provider performing services on your behalf, and you agree to notify PayPal immediately of any violation of your obligations in this sentence. If you sell or otherwise transfer your Application, or permit an API Caller to operate it, PayPal agrees to issue a new App ID to the API Caller operating your Application. The API Caller is accountable for any personal data PayPal is instructed to transfer to it. You are liable for all activities performed with your App ID, API Credentials or other PayPal Account credentials.
and
5.2.1 Legal Agreements and Related Policies. Your Application and your use of the Developer’s Tools must comply with the following Legal Agreements and policies:
(a) this Agreement,
(b) the User Agreement, both the version that applies to you together with any other version that applies to users of Your PayPal-enabled Services; if you accept users from countries other than the one in which you reside (or are incorporated, if a company), then the version of the User Agreement for the user’s country applies to that user;
Noting that storing credentials of user's subjects you to having an "Application" developed for use with PayPal even if you don't use the developer tools or API.
Linked from: PayPal Developer Agreement
And in the User Agreement
You should immediately notify PayPal if you believe:
there has been an Unauthorized Transaction, unauthorized access to your Account, or the occurrence of an Other Error;
there is an error in your Account statement (you can access your Account statement by logging into your Account) or your transaction confirmation sent to you by email;
your password or PayPal Mobile PIN has been compromised;
your PayPal Debit Card or PayPal Mobile-activated phone has been lost, stolen or deactivated; or
you need more information about a transaction listed on the statement or transaction confirmation.
You shouldn't do this. But since you probably will anyway, I'd suggest encrypting the user's PayPal password with the password they use to log into your site.
Proper password-based encryption uses a recognized key-derivation function, like PBKDF2. In addition to the password, the key derivation will require some salt, which should be generated by a cryptographic random number generator, and a number of rounds, which should be at least 60 thousand for PBKDF2.
You should be using the same algorithm (with a different salt) for authentication; after deriving an encryption key from their password, use it to encrypt a constant, known plain text, like your host name. If it matches the value set during registration, they are authenticated.
You need to be very very careful with this. You will need to thoroughly penetration test your site and DB regularly to ensure there are no security holes. Pay a professional to do this for you.
If it were me and I was committed to doing this, I would store the passwords on my server by encrypting them with a symmetric encryption algorithm (use AES) using a secret key. Keep the secret key in a very safe place. Storing passwords in plain-text (as you noted) is an egregious sin, and storing them under two-way encryption is only a little better. Best practice is to use a one-way hash with salt.
To re-iterate what everyone else has said: Don't store anyone's (including your own) paypal password on your website (in the code itself or in a database).
However, it IS possible to integrate paypal into your website and read YOUR OWN paypal balance using their integration APIs. It has been a long time since I've worked with the paypal API but I know it is possible. You can use the Transactional Information API to simply get the paypal balance of the account using the GetBalance call. In order to do this you will need to setup a paypal developer account, get an API key, and be able to call SOAP APIs from your web application. See here for getting started with the classic Paypal APIs.
All in all it may be too much work to implement a feature on your own personal web page.
