Currently building a simple login system that I will use in a couple of servers, some which may not have database access so I am thinking about storing user accounts in a text file. The file will be protected by htaccess, and passwords will be salted and md5 encrypted. Is there anything else I can do to protect this file, I am trying to make it compatible with as many servers as possible so I may not be able to place it out of the www root. Also what possible hacks could people try to access the file?
Currently building a simple login system that I will use in a couple of servers, some which may not have database access so I am thinking about storing user accounts in a text file. The file will be protected by htaccess, and passwords will be salted and md5 encrypted. Is there anything else I can do to protect this file, I am trying to make it compatible with as many servers as possible so I may not be able to place it out of the www root. Also what possible hacks could people try to access the file?
Use salted SHA(2) hashes, if possible. Do not use "Basic" authentication. Use SSL-secured form-based authentication, if possible. Give the password file a clever name with a random component. (like .passwdMonkeyCow5FAD43) Try to keep that password file out of the docroot, whenever possible. If you screw up your config for a minute, your password file is free to download for that minute if it's inside the docroot ...
Reply With Quote
Originally Posted by vmcg
Bookmarks