Posted by Colin McKinnon on 07/13/05 11:15

Phil Coen wrote:

> I have been learning PHP on my own time and have an Apache server on my
> network at home. Obviously security is not a problem on this setup.
>

You think?

> But as I begin to think about actually using code on a publicly
> addressably server someday, the examples in my books seem to be wide open
> to the world.
>
> Most use an HTML form that calls a separate php program. Most of the
> passwords are either hard coded in that php module or are in a file
> accessable by that module.
>
> Heck, anybody can download the php script and look at the passwords. Or,
> use it to see what file it is pointing to.
>

Are we talking about passwords used by your PHP scripts to authenticate
against some other service (like MySQL) or to authenticate web users?

The former (which the previous 2 responders seem to be addressing) will
require to be stored in an unencrypted form (as someone else said - if your
webserver is setup correctly, they should not be visible). However the
latter (which you seem to be talking about) should never require an
encrypted password. Really, the stored token should be kept in a
non-reversible hash.

Unix authentication systems are well documented. Originally these used crypt
to hash the password, but more recently 3DES or MD5. Where you keep the
data is up to you - but even a 100% secure hash will not protect your
system against brute force attacks (particularly if the black hat can copy
the password file to his/her own machine and recreate the algorithm).

Of course you also need to think about how to secure the passing of
information to/from the browser. SSL is the obvious choice but introduces
of its own.

> Where should the logon security for the web site actually be?
>

Kinda depends...

C.

[Back to original message]