I'm making a website with an admin section that will only ever have one username and password. What's the best way to store that information? I've found info on hashing and salting passwords, but it's all a bit advanced for me, so I'm looking for the beginners method.
4 1448
Password encryption is very necessary when it comes to accounts to prevent the hacking for the informations especially for the project your currently doing and I recommend you to use the strevv base64 encode it is safe actually but to think of it that the advance method for me, however I can assure you for it's security and since you wanted a beginners method try to use the md5 its very easy for the password encryption method.
Thanks, Hope it helps.
I usually encrypt the passwords myself. In house encryption I think prevents public knowledge of it but then you have to keep that knowledge in the safe.
RonB 589
Recognized Expert Moderator Contributor
Which username and password are you referring to? The one for the "admin" user of your app or the one that is used to connect to the database?
The usernames and passwords for authenticating users are stored in a database "users" table, not in your php code. The only username/password that you need to be concerned about is the one that is used to connect to the database.
PHP is an interpreted language, so the best you can do in this regard is to obfuscate these credentials by putting them in an external file. If the server admins are doing their job properly, storing the database username and password directly in the php script is almost as secure as storing them in an external file which the php script would need to parse in order to use them when connecting to the database.
If the server admins aren't doing their job, it's possible that your php source code would be displayed instead of just the resulting rendered html. In that case, your username and password would be displayed for all to see. To protect against that, those credentials should be stored in an external file outside of your webroot so that they won't be accessible from the outside. That file should have proper file permissions that only allow access by your account.
The next threat you need to worry about is a hacker gaining direct access to the server's file system. If that happens, then there's nothing you can do to secure your files. Protecting against that threat would need to be handled by the server admins.
The best security would be to not use an interpreted language.
Rabbit 12,516
Recognized Expert Moderator MVP
tdrsam, you should hash and salt the password. There's no need for you to come up with an encryption algorithm by yourself. PHP provides a function for you. http://php.net/manual/en/function.mcrypt-encrypt.php
computerfox, what did you mean by:
encrypt the passwords myself. In house encryption
Are you saying you are using an algorithm you developed yourself? The problem with creating your own algorithm, especially if you don't understand the maths behind cryptanalysis, is that they are subject to many more cryptanalysis attacks that don't affect the more well known algorithms.
Sign in to post your reply or Sign up for a free account.
Similar topics |
by: Lobang Trader |
last post by:
Hi all,
I am trying to create a username and a password class.
I would like to know what are the RECOMMENDED minimum and maximum length
for both fields?
These fields will be something like this:
private static final int DEFAULT_MINIMUM_LENGTH = ??????
|
by: Leon |
last post by:
I have a situation in which I need two stored procedures that do basically
the same thing,
but takes in a different parameter value and return less of the same data. I
wonder is it best to
do two different stored procedures or just one to accomplish my goal?
The first sp take in the @emailaddress parameter value and selects the
following...
|
by: |
last post by:
I have an app that retrieves data from an Access database. At the moment I
have the SQL string as a Const in my app. I understand this is not best
practice. I don't want the user to have access to read or modify this string
so I don't want to store it in an INI / Text file or in registery. Can
someone please tell me the best practice for this....
|
by: Keith G. Murphy |
last post by:
I'm trying to get a feel for what most people are doing or consider best
practice.
Given a mod_perl application talking to a PostgreSQL database on the
same host, where different users are logging onto the web server using
LDAP for authentication, do most people
1) have the web server connecting to the database using its own user
account...
|
by: MichaelG |
last post by:
I have a web service that talks to SQL Server 2005. At present the WS uses
an SQL Server login and password to connect.
Is this best practice or should I be running the WS under a domain account
and using Integrated Security to connect to SQL Server?
On reading the IIS help it seems that if I create a new application pool and
configure...
| |
by: david |
last post by:
I have a class with some business-logic and with every roundtrip, I need
an instance of this class, so I have to create it, every time again.
That doesn't seem very efficient. I thought it would be 'better' to store
an instance of this class in a session-variable, so it's available all the time
and needs to be instanced only once.
Is...
|
by: ThunderMusic |
last post by:
Hi,
I have an asp.net page where people can register. In this page, the user
must enter a password. Actually I user this form so the user can modify it's
data either... What is the best practice for making the password reappear? I
mean, the password is hashed, so I can't make it appear correctly, so I
suppose the text boxes contain dummy...
|
by: =?Utf-8?B?Sm9l?= |
last post by:
I am working on a web app that required authentication to AD.
The authentication is working fine the way I am doing it, but
was wondering what the best practice is.
My code doesn't actually authenticate to AD as much as it
does authenticate to AD by using LDAP.
DirectoryEntry(szServername, szUsername, szPassword,...
|
by: Nic |
last post by:
Hi,
I am looking to publish a service and is currently developing an API that I
intend to allow authenticated users to use. Having been away for a while
from programming, I understand that things have moved on with the release of
..Net 3.0 and I would like some advice on what current best practice would be
to do this.
1. I intend to use...
|
by: GiBo |
last post by:
Hi,
what's the best practice to securely prompt user for password on console
in Python? IIRC some programs like SSH do a lot to ensure that the input
comes from TTY and is not redirected from somewhere and several other
checks. In the case of OpenSSH even the password prompt is always
displayed regardless if the output is redirected to a...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main...
| |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it. ...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in...
| |
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating...
| |