Secure website passwords

**whats in a name** · 6 May 2004, 22:23

whats the platform ?

Are we talking about apache or iis or something else ?

Ignoring whatever might be possible with the platform and just thinking application can you put the file somewhere other than under the web root and hence have it only accessible by your scripts (which of course just verify a password rather than returning it) ?

**DimPrawn** · 6 May 2004, 22:43

It is impossible to secure any server (even Linux) against super intelligent grey squirrels.

Saying that, a text file that is secured through file permissions or a simple database (MySQL or similiar?) will do the trick.

As long as users cannot gain access to the file (i.e. download it), it should be secure enough for a noddy site.

**ScotsPine** · 7 May 2004, 07:36

use a database

and an encrypting algorithm such as md5. quite straightforward and cheap and effective. it gives a one-way encryption of passwords. you could even use an mdb file.

**Pst** · 7 May 2004, 12:52

use john the ripper

Use the linux tool known as "john the ripper" to check the security of passwords. Search for "john the ripper, linux" on google.

**PerlOfWisdom** · 7 May 2004, 13:43

Re: use john the ripper

On apache, most common configurations disallow the viewing of any file who's name begins with .ht

So put the passwords in a file named .htpasswords and ftp it to the server. You won't be able to see it when it has been uploaded but it can be read by a cgi script.

**rebeccaloos** · 7 May 2004, 14:21

Re: use john the ripper

That solution might work but I think the "standard" implementation for this would be to store the passwords in a MySQL database table, then your PHP code can retrieve and use them when the page is called.

**PerlOfWisdom** · 7 May 2004, 14:32

Re: use john the ripper

might ??????

**rebeccaloos** · 7 May 2004, 14:46

Re: use john the ripper

Sorry I wasn't impying it doesn't - but I haven't tested it myself so I don't know.

I should have said: "another solution would be to ...."

Sorry again.

**AtW** · 7 May 2004, 19:45

I'd use known algorithm to generate and check cryptographically strong serials. This would allow not to keep a list with serials anywhere on the site and I'd use compiled and obfuscated code to check keys. Of course if I was really paranoid I'd keep that code behind firewall elsewhere so that website would have to request/check keys via SSL with some good monitoring present to ensure no one tries to guess too many serials.

Secure website passwords