There's been a lot of stuff recently about hashing/salting/mashing/crushing/blending etc. passwords for authentication, but what if your application needs access to the plain text passwords. Say, it authenticates with a third party service that requires you to send a username and password to authenticate (I.E. authenticating with a users IMAP/SMTP email account or logging in to their Twitter).<p>Lets ignore the server/database part of this (though that is, of course, important). How should your application store these authentication details in a way where, if your server was compromised and the hackers had access to the database AND application code?
If they have access to the application code then it's all over, since your application has to be able to decrypt the password back to plain text to use it.<p>The only way around this that I can see is just using a different method of authentication.