|
|
Posted by Justin Koivisto on 05/12/05 23:51
Pat A wrote:
> We have a dilemma. We are storing our database password in an include
> file that resides outside of the web root. The password is in plain
> text. So, no one can get that password because it can't be served up
> by the web server. So far, so good.
>
> The customer wants all of our passwords encrypted. So, how do I go
> about securely encrypting that password? If I use mcrypt, I have to
> store a key and an IV somewhere...and if those are in clear text, I
> might as well just store the password in clear text. That is to say, I
> could encrypt the password with a given key and IV, and then hard code
> that key and IV into my app and put the encrypted password into the
> database. But, there's really no security in that.
>
> Has anyone else done anything like this?
I went and purchased ionCube Encoder just for that reason. I didn't find
any other method that couldn't be cracked in less than a couple day's
time - by someone else of course. ;)
Of course, then there are some added benefits to using ionCube as well
that helped persuade my purchase. ;)
--
Justin Koivisto - justin@koivi.com
http://koivi.com
Navigation:
[Reply to this message]
|