PHP File Storing Password as a Text File

Question

For my very small website that only friends know of, I am developing a password system. I am saving the passwords in a php file like this.

<?php
if($_GET["p"]=="password"){
?>
user1 password1
user2 password2
<?php
}
?>

Then, I can read the password with file_get_contents(pass.php?p="password"); And I can still write the password by writing to the php file just like I would a text file. Is this method insecure? Are there similar methods that are that do not require a database? I don't think my site needs encryption, it wouldn't hurt too much if the passwords were compromised.

Are you sure your friends and you don't reuse current passwords? — Marcel Korpel, Feb 02 '13 at 14:34
`it wouldn't hurt too much if the passwords were compromised.` Do as you wish; chuck the security headache. — जलजनक, Feb 02 '13 at 15:22

score 2 · Answer 1 · answered Feb 02 '13 at 14:35

2

Whoa. I would say it's quite insecure. Is there a reason why for not using a database?

Also alternatively, to make it more secure without a database if you wish, you could create a combination of username+password with md5 and/or sha1 encode and save it as an extensionless file in a directory, and compare if the combination is right with file_exists

answered Feb 02 '13 at 14:35

ASertacAkkaya

651
6
16

In what way isn't this secure? The main password is needed to write to the php file, and to access the password php file. I do no need world class security. – Bob Feb 02 '13 at 14:42
Your friends could find each other's passwords easily? Mainly it's privacy. – ASertacAkkaya Feb 02 '13 at 14:53
If the main password is needed to access the password php file then how are your friends accessing it when they login? And where is the main password being stored, in a text file or as a php variable? – Feb 02 '13 at 14:58
Then let me gather this up. You have a form that is posting username password to, say, process.php. This file reads from pass.php?p=mainPassword and compares with each line? – ASertacAkkaya Feb 02 '13 at 15:08
@user1928545 As a php variable. – Bob Feb 02 '13 at 15:34
1

so then your friends are basically entering two passwords when they login? the main password and their own password? if this is the case i guess it's adequately secure. I mean like you said you don't want world class security. Just as long as the main password is never made public you should be fine, but I mean in reality your friends shouldn't even need a personal password then, just one password for everyone. – Feb 02 '13 at 16:57
No, only their password. The main password is stored in another php file. – Bob Feb 13 '13 at 00:18

score 0 · Answer 2 · answered Feb 02 '13 at 14:56

Check out the site http://www.hackthissite.org It allows you to do real life examples of how people hack websites. One of the basic missions is learning to get passwords from an included text file. If anyone figures out the whereabouts of the text file. Hidden files can be found easily, then they will have access to all of your passwords. It's up to you, you might as well not even have a login system if you don't care about security. If you do care though, just get mysql, it's free and it's not hard to use.

but its not a text file, its a php file that requires a password in get — Bob, Feb 13 '13 at 00:17

score 0 · Answer 3 · answered Feb 02 '13 at 15:12

These are few suggestion for improving your current method.

you can make direct access to this file is restricted, using apache rewrite module as I remember.
Use a complex password (phrase with special chars and nums) as the main password use for the page access.
For the main password also, compare the md5 or sha1 hash value of the password and the md5 and sha1 hash value of the value of GET variable instead of putting plain text there.
Store md5 or sha1 hashes of the passwords instead of storing plain text password. then when comparing the passwords, you can convert the user entered value to the hash of that value and compare it with the stored one.
When hashing, you can use a seed for that as I remember, which will increase the security little bit more.

This will make it little bit more secure, because if someone logged to the server, he cannot directly get the password text of your users. But please be aware that most of the hash values can be broken using a rain bow table. But this is at least more secure than storing a plain text password.

But I still prefer if you can store your data in a database instead of a file like this.

score 0 · Answer 4 · edited May 23 '17 at 10:24

It doesn't matter whether you store the passwords in a file or in a database, the same measures should be taken. Do not store the plaintext password there, instead store only the hash-value of the password. So even if somebody can read the file, he doesn't know the passwords. As a side effect, it will also avoid encoding problems with special characters.

Use a slow key-derivation function like BCrypt to hash the passwords. Fast hash functions like MD5 or SHA-512 are not appropriate for hashing passwords, simply because an attacker can brute-force them ways too fast (about 8 Giga MD5 values per second with common hardware).

PHP soon offers two simple functions password_hash() and password_verify() to generate such BCrypt values. There also exists functions for older PHP versions, have a look at this answer.

PHP File Storing Password as a Text File

4 Answers4