Password hashing

**ronverdonk** · Mar 23 '08, 12:25 PM

When you store the password in the config file, make sure you store it in a hashed format and not as you showed. Because your way, anyone who can reach config.php know the password.

Another thing is to test the strength of a password. TEST is a very weak password and can be guessed easily.

Then, if you also store the config.php outside the document root, you are moderately safe.

Ronald

**Markus** · Mar 23 '08, 12:30 PM

Originally posted by kmd

Hi
I make simple script and ive made admin panel. Login and password are in config.php file. Im using form to log in. And my question is: Is security of this code high or low or medium? :)

In config.php i have sth like this:
[PHP]$login = 'admin'; // Login to admin panel (change it)
$password = sha1(md5('test' )); // Admin password (change it)[/PHP]

And in other file (using to log in):
[PHP]if (($login == $_POST["login"]) && ($password == sha1(md5($_POST["password"])))) {
$_SESSION['admin']='true';[/PHP]
Is it save or not? Firstly i had no-hashed password in config.php and i could easly use include to read it.
now of course i can use include and echo $password but i will only see hashed password.

As i always say, using a database makes things so much easier!

Regards, markus.

**kmd** · Mar 23 '08, 12:43 PM

Yes your right.
But im the only one user, so in my opinion using database is making everything more diffcult. I have to create tables, than file to register user, and than i have to keep one user in one table in database. Its like wasting database space :) And now im looking for some save method to make admin panel based on config.php file. If i will not find any, i will add user registration to my script :)

**ronverdonk** · Mar 23 '08, 01:52 PM

Database or not, that is trivial (in this case). But you are most vulnerable by these 2 statements[php]$login = 'admin'; // Login to admin panel (change it)
$password = sha1(md5('test' )); // Admin password (change it)[/php]Here your userid and password are for grabs (so to speak).

So hash/encode these values and store them in your config file in a hashed string.

Ronald

**kmd** · Mar 23 '08, 07:08 PM

Ok
thx very much. Its really usefull. Now i know what i have to do to imncrease security.
But i have one more question.
Why in many popular scripts (blogs, CMSs) informations for database (like host, password, database name, and username) are in config.php and they are not hashed?
Does it mean, that they are not save? Couse if login and passowrd in my case are for grab so data for database conect is up for grab also, isn it?

**ronverdonk** · Mar 24 '08, 12:07 AM

Usually you are either protecting the config folder using .htaccess or in a folder that is outside the document root.

Ronald

Password hashing

Password hashing

Comment

Comment

Comment

Comment

Comment

Comment