Using Zend_Mail_Transport_Smtp with an MD5-Hashed value as password

Question

I'd like to offer the users ob my web-application the possibility to send out emails using our smtp-server.

The password for the user accounts are md5-hased and the smtp-server is hashing the received values to check for the right username-password kobination.

Now i'm looking for a good way to set up Zend_Mail_Transport_Smtp - I obviously need the plain-text password and forward it to the smtp-server which then converts it to a md5-hash. But that means that i have to store the users password somewhere in plaintext, which i'd like to avoid.

Are there any best practices on how to set up an webmailer using the zend framework?

The only idea i had was to save the unhashed password in a session (the user accounts in my application are linked with the mail server accounts), but there has to be a better way to handle this situation

Answer 1

What you can do is to store the password in a encoded format in the database and decode it in your application when you need it. Unfortunately MD5 is just a hashing function and you cannot decode to the plain password. I know three ways to accomplish this:

1. Substitute letters:

   You can use something like ROT13 to replace letters in your plain password:

   // store this in the database
   $pw_rot = str_rot13( "plain_password" );
   // use this in the application
   $pw_plain = str_rot13( "cynva_cnffjbeq" );
   

   I wouldn't recommend to use str_rot13() or something like this, because is easily guessed by someone who sees the password.

2. Decode/encode without a key:

   Another way is to decode/encode the password with a function, which doesn't need a key like Base64:

   // store this in the database
   $pw_base64 = base64_encode( "plain_password" );
   // use this in the application
   $pw_plain = base64_encode( "cGxhaW5fcGFzc3dvcmQ=" );
   

   A little bit better then the above, but I would use that only for testing purposes, because it's easily implemented and to use.

3. Decode/encode with a key:

   A better way is to use key and a symmetric block cipher like Blowfish:

   class Password {
     const KEY = 'your_secret_key_for_the_cipher';
   
     // encode the plain text with key for storing in the database
     public function encode( $plain_text ) {
       // set up the environment
       $td      = mcrypt_module_open( MCRYPT_BLOWFISH, '', MCRYPT_MODE_ECB, '' );
       $key     = substr( self::KEY, 0, mcrypt_enc_get_key_size( $td ) );
       $iv_size = mcrypt_enc_get_iv_size( $td );
       $iv      = mcrypt_create_iv( $iv_size, MCRYPT_RAND );
   
       if( mcrypt_generic_init( $td, $key, $iv ) != -1 ) {
         $cipher_text = mcrypt_generic( $td, $plain_text );
         // clean up the mcrypt enviroment
         mcrypt_generic_deinit( $td );
         mcrypt_module_close( $td );
       }
   
       // use hex value            
       return bin2hex( $cipher_text );
     }
   
     // decode the stored cipher text with key to use in the application
     public function decode( $cipher_text ) {
       // set up the environment
       $td      = mcrypt_module_open( MCRYPT_BLOWFISH, '', MCRYPT_MODE_ECB, '' );
       $key     = substr( self::KEY, 0, mcrypt_enc_get_key_size( $td ) );
       $iv_size = mcrypt_enc_get_iv_size( $td );
       $iv      = mcrypt_create_iv( $iv_size, MCRYPT_RAND );
   
       if( mcrypt_generic_init( $td, $key, $iv ) != -1 ) {
         $plain_text = mdecrypt_generic( $td, pack( "H*" , $cipher_text ) );
         // clean up the mcrypt environment
         mcrypt_generic_deinit( $td );
         mcrypt_module_close( $td );
       }
   
       // remove NUL which maybe added by padding the plain_text
       return rtrim( $plain_text, "\0" );
     }
   

   With this way only someone who has access to the database and the source code can decode the password. On the down side you have a more complex application and little bit performance impact. Also you can other symmetric block cipher.

And the most important: Never store plain passwords.