Is It Ever Ok to Store Password in Plain Text in a PHP Variable or PHP Constant

Is it ever ok to store password in plain text in a php variable or php constant?

The short answer is both No, and It Depends.

It's almost never a good idea to store passwords in plain text, especially in a web accessible location, if for no other reason than a simple server misconfiguration or an echo in the wrong place could expose it to the world.

If you MUST store a password, (which is possible) you could try to store it outside the webroot, eg
/var/www/public_html/ Put your codez here

/var/www/includes/ Put your passwords here

Even better than that would be to have the system that you need the password for (eg a database wrapper ) return an object already instantiated. so rather than asking for $databasepassword you ask for a PDO object, and store your database classes outside the webroot.

The It Depends comes from what attack vectors would cause someone to have access to that password text, and would it require them to be already inside your filesystem, if so, you're probably screwed anyway.

Also, if its the password to your supa-secrit subscriber content, meh, all you've lost is some subscription fees, if its your database, you may have a problem, if it's your online banking details, um good for you.

How valuable is the thing the password is protecting?

Is it secure to store a password in a session?

Keeping plaintext passwords anywhere in any capacity is usually a bad idea. Sessions are safe as such, but only as safe as the rest of your server environment. Administrators or other users both legitimate and nefarious may have access to data stored on it. You never want to handle the secrets of your customers if you can avoid it; that also means you want to avoid seeing the user's password under any circumstances and you should build your code in a way that the plaintext password is as short lived as technically possible.

If you need to use the password for something during a session, you should architect your app so it never uses the plaintext password, but use a key derivation function to derive a key from the password which you then use for your sensitive tasks. This way there's a lot less chance to expose the user's password. Remember, the only security the user has is the secrecy of his password that only he is supposed to know.

Storing database credentials in PHP constans and security

The only risk is if you have the definitions under the document root. In that case, if something goes wrong with your server configuration and people can see your PHP code, the constants (and thus database credentials) will be exposed.

The most secure way (that I know of) is to have the credentials as part of the server environment that is restricted only to root. Then, developers can use _SERVER['db_user'], etc. This is potentially more secure in that the people who have access to the actual DB credentials are more limited. It also gives you the flexibility to use different credentials depending on the server (development vs. production, for example). However, you can see all server environment variables with phpinfo(), var_dump($_SERVER), etc. so you have to take care not to upload such things.

Where and how to store MySQL passwords available to PHP

Your solution is fine.

Most of the suggested solutions are just exaggerated as although they may higher the level of security a bit they are not worth the additional effort.

Because the security should not only rely on the secrecy of the password. At best, even if the password get’s revealed, its knowledge is worthless for an attacker as he cannot use it.

This means, use a MySQL user dedicated to your application with permissions following the principle of least privilege and only allow the access to the database from that application’s web server (see MySQL Access Privilege System).

Storing Password in Databases in plain text vs Customer Needs

Write a short, clear and jargon-free formal letter stating your concerns and concluding that in your professional opinion, it should be rectified. Address it to someone reasonably high up in the customer.

If they then choose to ignore your advice, that's their prerogative.

(Keep a copy of the letter yourself, too.)

a better approach than storing mysql password in plain text in config file?

Since your code will need the password there is no perfect security. But you can make it hard to recover.

I put some hash in my web config, as an environment variable, say MYSQL_PASS_HASH

Then I do something like md5(getenv('MYSQL_PASS_HASH').'gibberish$qwefsdf') which is then the password. Of course you should unsetenv after that if you're paranoid.

Your password will not literally be stored somewhere, and it can be recovered only when someone has both you web config and your database include.

This happens in a file outside of the webroot (don't put all your trust in .htaccess).

Is it secure to store passwords as environment variables (rather than as plain text) in config files?

On a more theoretical level, I tend to think about levels for security in the following ways (in order of increasing strength) :

• No security. Plain text. Anyone that knows where to look, can access the data.
• Security by Obfuscation. You store the data (plaintext) someplace tricky, like an environment variable, or in a file that is meant to look like a configuration file. An attacker will eventually figure out what's going on, or stumble across it.
• Security provided by encryption that is trivial to break, (think caesar cipher!).
• Security provided by encryption that can be broken with some effort.
• Security provided by encryption that is impractical to break given current hardware.
• The most secure system is one that nobody can use! :)

Environment variables are more secure than plaintext files, because they are volatile/disposable, not saved;
i.e. if you set only a local environment variable, like "set pwd=whatever," and then run the script,
with something that exits your command shell at the end of the script, then the variable no longer exists.
Your case falls into the first two, which I'd say is fairly insecure. If you were going to do this, I wouldn't recommend deploying outside your immediate intranet/home network, and then only for testing purposes.

Should I store passwords using php serialize instead of using database?

A file with the correct chmod permissions is just as secure as a database storage in this instance.

Think about it: the mysql database is actually stored in binary files on your server's filesystem. If a malicious user gains access to your server they have the same access to the binary database files as any other file, including your serialized and encrypted data in a text file.

As long as this text file isn't in a directory that's publicly accessible via the web server it's no less secure. Of course, if someone gets root access you're pretty much foobar'd either way.

What you should never do is store clear text passwords. md5() is (just) okay. sha1() has now emerged as a better option for encrypting this type of data.

Why is database password stored in plain text in wp-config.php in WordPress, security issue?

If your users can read your wp-config.php you've already lost from a security perspective.

Let's say the database credentials weren't stored in plain text and were, say, stored as an encrypted string that would be decrypted by Wordpress itself. If the potential attacker can read the wp-config.php they can probably read the decryption key as well as there's no reason to suspect that that would be stored any more securely.

When people talk about how up to date security mechanisms use hashing and salting that is only relevant to when you are the effective server. Hashing is a one way process of taking a password and converting it into something that is impossible to reverse back into the password. If you're a client rather than a server, there's no way to get around the fact that you need to have a way of getting the plain text password.

---

Related Topics