meltingpoint Posted August 7, 2010 Share Posted August 7, 2010 I have a login system that uses a flat file database. The flat file is in a directory outside the public_html. My questions; 1- Is is still possible to hack into that file? Currently I do not encrypt the passwords as I have been told that having the file outside the public_html makes the file unavailable to the public. This allows me the advantage of sending the Username and Password to the user in an email if they forget there password or username. Otherwise- I would have to set up a more complicated method to allow them to change their password to re-gain access to the site. I have an SSL on the site also so I am not worried about packet sniffing. Thanks Quote Link to comment Share on other sites More sharing options...
ChemicalBliss Posted August 7, 2010 Share Posted August 7, 2010 No i'm sorry but whoever told you not to encrypt passwords should rethink their position as a web designer. Passwords are not just encrypted so that "Intruders"£ cannot see them, it is so YOU cannot see them also, it is giving a peace of mind to your customers/clients. I would NEVER sign up to a website if i had a hint they were going to keep my password in plain text on file. What if someone got your password, hacked your FTP, Tricked you into letting them put a file on your website, using PHP injection to execute code.?? A lot of people on the internet use one or two passwords for anything they sign up to. i guess you have their email address, they could get their email address, and then technically they could get every account that person has opened under the sun, any website that has told them thank you for signing up etc in their email! Encrypt passwords with HASHES and SEEDS (A seed is a unique number that goes with the the password in an MD5 or SHA256 Hash). If they forget their password then they get a new one that your script will generate. If they cant remember one they put before then they shouldn't mind having a new random string password. If you want to go a step further then you can let them change their password, but only if it is secure enough (capital letter/8 chars long+/a number or more). -cb- PS: Security is one thing in your project you CANNOT get lazy about. Quote Link to comment Share on other sites More sharing options...
meltingpoint Posted August 8, 2010 Author Share Posted August 8, 2010 Chemical Bliss....... Good points. Thanks. Meltingpoint Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.