Password hashing

kmd

Hi
I make simple script and ive made admin panel. Login and password are in config.php file. Im using form to log in. And my question is: Is security of this code high or low or medium? :)

In config.php i have sth like this:
[PHP]$login = 'admin'; // Login to admin panel (change it)
$password = sha1(md5('test')); // Admin password (change it)[/PHP]

And in other file (using to log in):
[PHP]if (($login == $_POST["login"]) && ($password == sha1(md5($_POST["password"])))) {
$_SESSION['admin']='true';[/PHP]
Is it save or not? Firstly i had no-hashed password in config.php and i could easly use include to read it.
now of course i can use include and echo $password but i will only see hashed password.

ronverdonk

When you store the password in the config file, make sure you store it in a hashed format and not as you showed. Because your way, anyone who can reach config.php know the password.

Another thing is to test the strength of a password. TEST is a very weak password and can be guessed easily.

Then, if you also store the config.php outside the document root, you are moderately safe.

Ronald

Markus

Quote:

Originally Posted by kmd

Hi
I make simple script and ive made admin panel. Login and password are in config.php file. Im using form to log in. And my question is: Is security of this code high or low or medium? :)

In config.php i have sth like this:
[PHP]$login = 'admin'; // Login to admin panel (change it)
$password = sha1(md5('test')); // Admin password (change it)[/PHP]

And in other file (using to log in):
[PHP]if (($login == $_POST["login"]) && ($password == sha1(md5($_POST["password"])))) {
$_SESSION['admin']='true';[/PHP]
Is it save or not? Firstly i had no-hashed password in config.php and i could easly use include to read it.
now of course i can use include and echo $password but i will only see hashed password.

As i always say, using a database makes things so much easier!

Regards, markus.

kmd

Yes your right.
But im the only one user, so in my opinion using database is making everything more diffcult. I have to create tables, than file to register user, and than i have to keep one user in one table in database. Its like wasting database space :) And now im looking for some save method to make admin panel based on config.php file. If i will not find any, i will add user registration to my script :)

ronverdonk

Database or not, that is trivial (in this case). But you are most vulnerable by these 2 statements[php]$login = 'admin'; // Login to admin panel (change it)
$password = sha1(md5('test')); // Admin password (change it)[/php]Here your userid and password are for grabs (so to speak).

So hash/encode these values and store them in your config file in a hashed string.

Ronald

kmd

Ok
thx very much. Its really usefull. Now i know what i have to do to imncrease security.
But i have one more question.
Why in many popular scripts (blogs, CMSs) informations for database (like host, password, database name, and username) are in config.php and they are not hashed?
Does it mean, that they are not save? Couse if login and passowrd in my case are for grab so data for database conect is up for grab also, isn it?

ronverdonk

Usually you are either protecting the config folder using .htaccess or in a folder that is outside the document root.

Ronald

Password hashing

re: Password hashing

re: Password hashing

re: Password hashing

re: Password hashing

re: Password hashing

re: Password hashing

Similar PHP bytes

/bytes/development

/bytes/it

/bytes/about