-2

I'm developing a mail client in PHP for a customer, and they want the ability to handle all of their various email accounts from this single client.

The user should not have to type all passwords every time he wants to use the service, and thats my problem. Is there a way to retrieve and send mail through Gmail without entering the password to the mail account? Is there some other way? Or must I save the passwords in my database with some encryption and decrypt it with a "hidden" key?

stema
  • 90,351
  • 20
  • 107
  • 135
user1195745
  • 55
  • 1
  • 11
  • First off, [What have you tried?](http://whathaveyoutried.com) And secondly, you can not decrypt an encrypted string using any of the preferred hashing methods for passwords. The only way to decrypt a string is if you use or create your own decryption/encryption function (most personal encryption methods use base64) however, this is not a recommended method for passwords as they generally are easily broken. – JT Smith May 02 '12 at 01:01
  • Well i was going to try AES_ENCRYPT() (mysql function). But i still need to save the encryption key, and i think its risky to save the passwords that way. I might save the passwords in a table and link the passwords to the mail accounts with some algorithm. But that might also be a bad way to solve it? – user1195745 May 02 '12 at 01:07
  • Yes. The whole intent of current hashing methods is to prevent anyone, including the developer(s), from un-hashing those passwords. You need to provide a product for your customers where they feel secure entering their passwords. Take Drknezz's advice and try the token method google provides and work with that the best you can. Although it sounds like you might have a tougher time with Hotmail (as with _any_ Microsoft product) – JT Smith May 02 '12 at 01:12

2 Answers2

2

https://developers.google.com/google-apps/gmail/ Read the OAuth section.

OAuth gives you a token, instead of a password. Even if the user changes his gmail password, said token would allow you to access his inbox and such.

As for Hotmail... i think no OAuth API is out there, sadly.

Read this just in case: http://msdn.microsoft.com/en-us/library/live/hh826535

Machinarius
  • 3,637
  • 3
  • 30
  • 53
0

Authentication with the email server will need you pass the password, so you are right about the crypt and decrypt mechanism (a cipher) for storing it in the database of your application. That will prevent email passwords be readable if someone gets your data, but you will need to be carefoul in how application stores the key to decrypt. Here are some extensions in PHP for ciphers http://www.php.net/manual/en/refs.crypto.php

mvaldes
  • 11
  • 4
  • Ah! +1 for the OAuth recommendation, is valid as long the email has this form of authentication. Its better because it authorizes USER and APP. Note that you have to store in the DB a token associated with the user (it means that user authorizes your app. to impersonate him) and for your app. you need a consumer (secret) key (it associates your application as valid client) – mvaldes May 02 '12 at 02:20