Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
Can you avoid storing the secret?
If you use an alternative implementation technique, it could remove the need to
store secrets. For example, if all you need to do is verify that a user knows a
password, you do not need to store passwords. Store one-way password hashes
instead.
Also, if you use Windows authentication, you avoid storing connection strings
with embedded credentials.
What is "one-way password hashes"? Which "alternative implementation techniques" Do you suggest for store password?
Do You Store Secrets?
Secrets include application configuration data, such as account passwords and
encryption keys. If possible, identify alternate design approaches that remove any
reason to store secrets. If you handle secrets, let the platform handle them so that the
burden is lifted from your application wherever possible.
May someone explain more about this:" If you handle secrets, let the platform handle them so that the
burden is lifted from your application wherever possible"
a one-way password hash is a good way to make sure you can't give away secrets even if you wanted to. For instance, let's say my password is "cheese". If I one-way encrypt this with say, md5, and store it that way I lose access to whatever that password really is. Then, in the future if I want to check to see if I've typed my password correctly I'll md5 my input and compare it to the stored md5 password.
Two-way encryption allows you to decode the secret in question. I prefer to use one-way encryption because it takes (nearly) all responsibility off me as a developer/dba.
"one-way" means the function output cannot be directly reversed to recover the input. Other attacks are quite possible. My research shows that about 50% percent of unsalted passwords are trivially recoverable, and 80% are recoverable within 24 hours.
Details on the possible attacks and counter-measures are here: viewtopic.php?t=62782