I am using online wallet (blockchain.info) as my hot wallet. As I understand, to run a hot wallet for automatic withdrawal I have to keep the wallet password in the server. The withdrawal URL requires it to pass in a plain text format...
Can someone suggest me, what is the best way to secure it ? As I can see, at any point of time, it is open to the server guys !!!
This is not accurate. The blockchain.info wallet
is designed so that the encryption password is never sent to the server. In short, the encrypted wallet is stored on the server, and decrypted on the client side only. It's re-encrypted before sending it back to the server.
You have to trust that the server won't modify the code (web page/JS) to send the unencrypted wallet back to the server, but everything else requires no trust and is verifiable (it's possible to read the client code). This is more of a problem on a web-hosted wallet like blockchain.info than on an app like Bitcoin Core, Armory, or Electrum since a web server can swap out code any time, while the others have to be explicitly updated/installed.
Client-side malware could also steal your money in the brief time that it's unencrypted on your side (but this is a problem with any hot wallet, and is a big reason why cold storage is safer).
If you're still concerned about the security of your hot wallet, I'd recommend any desktop wallet from
https://bitcoin.org/en/choose-your-wallet except MultiBit (I've heard that it can lose your private keys in some circumstances, and the creator doesn't seem concerned with fixing that major problem). I use Armory.
I guess u missed my point. I'm not concerned about wallet's internal security in this case. I'm concerned about how to secure the wallet access on my web server.