I guess there isn't anything like this in c5, but you could used the builtin mcrypt library to encrypt it and decrypt it from the database.

That would at least make it safe on the database dump point of view.

The usual approach with passwords is to use a one way hash to encrypt them, store the encrypted password, then encrypt and compare the encrypted text when users enter passwords.

John,

I agree with you if i were authenticating on my own system I would use that approach, but I need to be able to feed the pass word to another system. I am going to look into mcrypt that might be the solution. I have just for now made a small algorythym that scrambles things up so I don't store the plain text password in the db.

Well the point is that however you look at it, even using mcrypt you will still have to store the cipher key in plain in the code at some point …

So security wise, it is not that great. Or you could use a different approach, if you don't need to allow that second system to access automatically the password, you could use a public/private key type of approach (ala ssh), a bit more complex to setup, or throw in a manual password check in the middle (the admin would have to type in a password for the sync to happen). At least that would ensure the password not being stored in clear…

I understand what your saying, but my application needs to log into the other system. I realize that I have to place the key in the code, I guess i will just have to berry it deep in the code, . Its surprising though even C5 stores it db password in plain text in the config file.

If you are coding an api for the other system, you could add a password encrypt call to the api. That way the c5 system never actually holds the unencrypted password or the encryption key.