How to safely store a password inside PHP code?
That depends on the type of passwords you want to store.
If you want to store passwords to compare against, e.g. having an
$users
array, then hashing is the way to go.sha1
,md5
or any other flavor (here’s an overview)Adding a salt accounts for additional security, because the same password will not result in the same hash
Update:
password_hash
uses a salted, strong one-way hash with multiple rounds.If you want to store passwords to connect to other resources like a database: you’re safest if you store your passwords outside your document root, i.e. not reachable by browsers. If that's not possible, you can use an
.htaccess
file to deny all requests from outside
How to store password securely in database
You hope to store your cisco switch passwords in your database in a form where you can recover the password plain text to use it for ssh connections.
Even if you encrypt the passwords in the database, your program that accesses the database will have to be able to decrypt them to use them. So the decryption key necessarily will be available to your program. That's entirely different from the kind of password-hashing mechanism available in php. Password hashing doesn't allow you to recover the password from the hash, only to compare a user-presented password with the hashed password to see if they match.
Storing decryptable passwords is not secure, and can never be secure. If somebody cracks your server, they then have access to your entire infrastructure. (Cybercreeps with access to switches and routers can really make a mess.) This is the kind of thing that shows up in https://KrebsOnSecurity.com . Don't do it. Please.
If you want more-or-less automated access to your switches via ssh, your best bet is to use ssh's key management features. The machine from which you access the switches will have a private key, and each switch will have a public key corresponding to the private key. If you configure the public keys correctly you can restrict the operations available to users who present the corresponding public keys. It's a big topic, too big for a Stack Overflow answer.
As usual, Digital Ocean's writeup of this topic is useful. https://www.digitalocean.com/community/tutorials/how-to-configure-ssh-key-based-authentication-on-a-linux-server
Can you safely store passwords in PHP?
Why would you use a php file for storage of usernames and passwords? It's pretty standard (and simple nowadays) to use a database for username / password retrieval.
That being said, you don't want to store the password in plain text in the database.
PHP 5.5 has a whole new set of password functions coming out, so how about you use a library that allows for forward compatibility of these functions? Password_compat.
The point is, you include the file, use it's functions, and then when 5.5 comes out, you just remove the include and all the functions will still work because they're part of core.
It's really simple to use:
- Hash the password using
password_hash()
- Store the username and hash in the database
- When logging in, use
password_verify()
to verify the password sent in $_POST against the hash in the database.
That's it! Simple, secure, forward compatible. Highly recommended over flat file storage.
You really should take the time to learn MySQL. However, it's great to code to an interface rather than a concrete implementation and switch out one type of storage for another any time you want.
That being said, hash your passwords and usernames and, if you must, write them to a file. At least they'll be hashed, and not in plain text. You can still use the functions described above.
You can even serialize()
your array and write that to a file, then unserialize()
it on the way back. But I'd really recommend taking the time out to learn the basics of MySQL, you'll pick it up in no time at all.
Storing a password in a PHP script
It is possible and secure enought for you if you encrypt the data. A possible encryption that can be decrypted is openssl
$txtpass = "password in textfile";
$key = "password" // Encryption password to 'lock and unlock' the data
$iv = "1234567812345678";
$encrypted = openssl_encrypt($txtpass, 'AES-128-CBC', $key, 0, $iv);
$decrypted = openssl_decrypt($txtpass, 'AES-128-CBC', $key, 0, $iv);
Use a htaccess file like this
<Files ~ "pswd.txt">
Order allow,deny
Deny from all
Satisfy All
</Files>
and store an encrypted pass and youre good to go
How to secure database passwords in PHP?
Several people misread this as a question about how to store passwords in a database. That is wrong. It is about how to store the password that lets you get to the database.
The usual solution is to move the password out of source-code into a configuration file. Then leave administration and securing that configuration file up to your system administrators. That way developers do not need to know anything about the production passwords, and there is no record of the password in your source-control.
Securely displaying passwords in php
Hashing is one way. You cannot decode/decrypt a hashed password.
If you want to be able to view a password, you will need to use encryption instead of hashing.
Unless this is a strict business requirement, you should avoid having any sort of authentication system using anything other than hashing for passwords.
Eg, if the passwords you are wanting to be made available for viewing are not related to the login/authentication for your site, you should hash the login/authentication passwords, and encrypt the passwords that are to be viewed.
Is it ever ok to store password in plain text in a php variable or php constant?
The short answer is both No, and It Depends.
It's almost never a good idea to store passwords in plain text, especially in a web accessible location, if for no other reason than a simple server misconfiguration or an echo in the wrong place could expose it to the world.
If you MUST store a password, (which is possible) you could try to store it outside the webroot, eg/var/www/public_html/
Put your codez here/var/www/includes/
Put your passwords here
Even better than that would be to have the system that you need the password for (eg a database wrapper ) return an object already instantiated. so rather than asking for $databasepassword
you ask for a PDO object, and store your database classes outside the webroot.
The It Depends comes from what attack vectors would cause someone to have access to that password text, and would it require them to be already inside your filesystem, if so, you're probably screwed anyway.
Also, if its the password to your supa-secrit subscriber content, meh, all you've lost is some subscription fees, if its your database, you may have a problem, if it's your online banking details, um good for you.
How valuable is the thing the password is protecting?
Related Topics
Attach Image to Facebook Event (PHP Sdk, Rest or Graph API)
How to Store a Class Instance in a $_Session Space
How to Change the Name of an Element in Dom
Why Do I Receive "This Value Should Be of Type String" When Using a Datetime Constraint on Symfony 5
How to Use Facebook Graph API to Retrieve Fan Photos Uploaded to Wall of Fan Page
PHP - How to Know If Server Allows Shell_Exec
In Simplexml, How to Add an Existing Simplexmlelement as a Child Element
Passing and Parse Paypal Ipn Custom Field
Connect to Azure Active Directory from PHP Web Application
How to Select 10 Random Things from a List in PHP
Working with Japanese Filenames in PHP 5.3 and Windows Vista
Getting Elements of a Div from Another Page (Php)
Invalid Sos Parameters for Sequential Jpeg
PHP Foreach() with Arrays Within Arrays
Different Recipients Based on Product Category in Woocommerce Email Notification