I have no idea how to design such a beast, but I would put the passwords in a db server. I would put it behind an auth server. The auth server takes the password from the web server/script, encrypts it, and sends it to the db server. The db server first ensures that the auth server is the one making the request (using rDNS or whatever favorite method you have), then compares the password sent to the password on file (doing whatever encrypt/decrypt you desire). The db server sends back either a yes or no to the auth server, which forwards to the web server/script.
-----Original Message----- From: Wooi Koay Sent: Tuesday, April 09, 2002 09:46 To: [EMAIL PROTECTED] Subject: store passwords securely Hi, I would like to write a web app that stores a list of passwords securely. The reason why it has to be a web app is because I want to access the site using blackberry (rim handheld). My idea is to decrypt the password list using a public key, and when a valid user logs in, the password list are decrypted using the user's private key. If another user accidentally access the password list of different people, he still can't read the password list because he doesn't have the matched private key. The problem that I can see is that the webserver somehow need to have access to the public/private key pair. If the webserver is compromised, the passwords could potentially be read. Any thought on that? TIA, wooi.
