Page 1 of 1
logins stored in a .txt file above the document root
Posted: Fri Mar 02, 2007 1:58 am
by s.dot
The administrator log in page is on doc_root/admin.php
The administrator username and passwords are stored in a .txt file above the document root in doc_root/../sensitive_data/administrators.txt
The log ins are stored in this format:
If I use a challenge/response to encrypt the log in data and prevent it from being sniffed, is this pretty secure?
Posted: Fri Mar 02, 2007 7:45 am
by feyd
In theory, it sounds fine.
I would be more worried about your storage scheme for users and passwords.
Posted: Fri Mar 02, 2007 12:51 pm
by s.dot
feyd wrote:In theory, it sounds fine.
I would be more worried about your storage scheme for users and passwords.
How come?
The site in question does not have a database of users. Instead it just relies on a few administrators to perform tasks every so often, or check content.
There are 3 administrators, so I figure a user:pass txt file would be easiest to implement.
Posted: Fri Mar 02, 2007 1:39 pm
by feyd
Easy to implement sure, but unless you are reliably sure that no one can get to that file (outside the document root isn't good enough alone) then you are okay overall. However I would suggest hashing the entire piece of information regarding their user and password combination.
Posted: Sat Mar 03, 2007 3:49 pm
by WaldoMonster
Or maybe it is an idea to place the file inside the document root with a php extension like: administrators.txt.php
Nobody from a web browser can see what is inside the script.
Or maybe even use an array:
Code: Select all
<?php
$pass = array();
$pass['username'] = 'saltedmd5';
?>
Posted: Sat Mar 03, 2007 9:10 pm
by Ambush Commander
Attacks from the web-wise, you should be in the clear. If it's a multi-user system, though, it may be exposed to the outside (permissions tomfoolery and such). But the risk is very slight, and there's not much they can do with salted md5s.
P.S. Where's the salt coming from?
Posted: Sun Mar 04, 2007 2:32 am
by s.dot
The salt is just a string I supplied in the coding.
Code: Select all
$password = md5($_POST['password'].'random-salt-string');
Posted: Sun Mar 04, 2007 4:55 am
by Mordred
With a fixed salt, there is the danger of detecting when several users have the same password. Then, there's good money that it is in a short dictionary (100-500 most common passwords) which can easily be tried with an online attack.