I've found numerous posts on stackoverflow on how to store user passwords. However, I need to know what is the best way to store a password that my application needs to communicate with another application via the web? Currently, our web app needs to transmit data to a remote website. To upload the data, our web app reads the password from a text file and creates the header with payloads and submits via https.

This password in plain text on the file system is the issue. Is there any way to store the password more securely?

This is a linux os and the application is written in python and is not compiled.

Thanks!

Further clarification: There are no users involved in this process at all. The password stored in the file system is used by the other web app to authenticate the web app that is making the request. To put it in the words of a commenter below: "In this case, the application is the client to another remote application." (Thanks Joe for helping me clarify.)

From the question it seems you need to store password in such a way, that it can be read and used in an automated transaction with another site. You could encrypt the password and store it encrypted in the file, then decrypt it using a key stored elsewhere in your system before using it. This makes difficulties to someone that gets access to the file from using the password, as they now have to find the key and encryption algorithm used, so they can decrypt it.

As defense, more lesser defense is always better than one strong defense that fails when breached. Moreover, I would also secure the file containing the password, rather than the password itself. Configure your webserver to disable possibility to serve the file containing the password, and try to set the process needing the file to run under a separate account, so you can restrict the access to the file to account running the process and admin accounts only.

I don't think you will find a foolproof way to do this. I would suggest a combination of things to achieve 'security by obscurity':

• store the password file on a different computer than the one which will use it
• store the file path in a separate config file on the app nachine
• use permissions to limit access to the config and password files to your process only
• audit file access if your system allows it (keep a log of who touched the files)
• give the folders and files innocuous names (/usr/joe/kittens.txt?)
• block physical access to the computer(s) (offsite hosting, or locked closet, or something)

You can use a two-way key encryption algorithms like RSA, The password is stored encrypted (by a key, which is stored in the user's brain) on the filesystem, but to decode the password, the user must enter the key.

At the very least you should use permissions (if you are on a filesystem which supports them) to ensure that you are the only one able to read the file.

In addition, if your app is compiled, it would not be too difficult to encrypt the password with a hard-coded passphrase. If the code is not compiled this method wouldn't really be helpful, as a would-be attacker could just read the source and determine the encryption.

You can store it as a result of hash algorithm, this is one way algorithm (eg. MD5 or SHA). On authentication you calc MD5 of password typed by user and checking equality with your stored MD5 password hash for this user. If is equal password is ok.

For more information about hasing algorithms you can visit:

• http://en.wikipedia.org/wiki/Secure_Hash_Algorithm
• http://en.wikipedia.org/wiki/MD5

Is your web application hosted on a farm? If not then a technology such as DPAPI will allow you to encrypt the password so that it can only be decrypted on the machine it was encrypted on.

From memory there can be problems with using it on a web farm though, as you need to go and re-encrypt the value for each server.

If it is a web farm then you probably want to use some form of RSA encryption as has been suggested in other answers.

EDIT: DPAPI is only good if you are hosting on windows of course...

Protecting the Automatic Logon Password

The LsaStorePrivateData function can be used by server applications to store client and machine passwords.

Windows only

I don't think you are understanding the answers provided. You don't ever store a plain-text password anywhere, nor do you transmit it to another device.

You wrote: Sorry, but the issue is storing a password on the file system... This password is needed to authenticate by the other web app.

You can't count on file system protections to keep plain-text safe which is why others have responded that you need SHA or similar. If you think that a hashed password can't be sufficient for authentication, you don't understand the relevant algorithm:

1. get password P from user
2. store encrypted (e.g. salted hash) password Q someplace relatively secure
3. forget P (even clear the buffer you used to read it)
4. send Q to remote host H
5. H gets password P' from user when needed
6. H computes Q' from P', compares Q' to Q for equality