Can you safely store passwords in PHP?

Question

I recently made a PHP login script with a Username and Password login for a test with sessions and no MySQL.

I stored the passwords in an array like this

$filepassword[1] = "123"; // User Bob
$filepassword[2] = "321"; // User Tim

The user names are stored the same way in an array like so

$fileuser[1] = "Bob"; // Password 123
$fileuser[2] = "Tim"; // Password 321

I use Post to get the inputtedd password and then put it in a for loop and if the password equals one in the array it breaks and returns 1 and then checks to see if the numbers match for the username and checks it for a match.

But, should Istore the passwords or even a hash of them in a php file?

You should never store passwords directly, only store their hash! — Madsen, May 29 '13 at 09:46
Passwords are meant to be hashed and stored in database, and not in arrays — Mr. Alien, May 29 '13 at 09:47
It doesn't really matter where you store them, what matters is *how*. See http://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php — Jon, May 29 '13 at 09:47
Ok, but say I do hash them, but then can I store them in a .php file that get's included in the checking function? — , May 29 '13 at 09:48
@Mr.Alien For sites that have only few users (mostly to update content on the web-site) it's _ok_ to store users in files. — Leri, May 29 '13 at 09:48
Check this [link](http://stackoverflow.com/questions/97984/how-to-secure-database-passwords-in-php) — Abrah, May 29 '13 at 09:52
Well I don't know how to use MySQL so I don't I know how to check it with a for loop in php but can't think of a reason to even install MySQL on my computer just to test and mess around on my PC. — , May 29 '13 at 09:53
You have probably chosen the most complicated array setup ever. What's wrong with a simple `$array[$username] = $password`? — deceze, May 29 '13 at 09:53
Oh, I think I did @deceze I didn't think about that, like I said I'm just messing around and I've only just started with PHP, this was my first time using POST, includes and functions really. — , May 29 '13 at 09:55
Just want to throw out that MySQL is *really easy*, good fun, and simple if you follow a few tutorials. — Jimbo, May 29 '13 at 09:58
@Jimbo I'll check it out I know a few people who know a bit of it and I can make Databases for a few things that need it. Just don't know how to manage them or use them really. — , May 29 '13 at 10:06
@Loper324 Quick step-by-step: Your database has: id, username, hash. When someone registers, you hash the password and store the username and **hash** in the db. When they login, they `$_POST` their username and password, you *get the hash from the database* (by getting all details for that username) and then use `password_verify($_POST['password'], $hashFromDatabase)`. If `true`, they can log in. Simples. — Jimbo, May 29 '13 at 10:08

Jimbo · Accepted Answer · 2013-05-29T10:02:41.720

12

Why would you use a php file for storage of usernames and passwords? It's pretty standard (and simple nowadays) to use a database for username / password retrieval.

That being said, you don't want to store the password in plain text in the database.

PHP 5.5 has a whole new set of password functions coming out, so how about you use a library that allows for forward compatibility of these functions? Password_compat.

The point is, you include the file, use it's functions, and then when 5.5 comes out, you just remove the include and all the functions will still work because they're part of core.

It's really simple to use:

Hash the password using password_hash()
Store the username and hash in the database
When logging in, use password_verify() to verify the password sent in $_POST against the hash in the database.

That's it! Simple, secure, forward compatible. Highly recommended over flat file storage.

You really should take the time to learn MySQL. However, it's great to code to an interface rather than a concrete implementation and switch out one type of storage for another any time you want.

That being said, hash your passwords and usernames and, if you must, write them to a file. At least they'll be hashed, and not in plain text. You can still use the functions described above.

You can even serialize() your array and write that to a file, then unserialize() it on the way back. But I'd really recommend taking the time out to learn the basics of MySQL, you'll pick it up in no time at all.

edited May 29 '13 at 10:02

answered May 29 '13 at 09:49

Jimbo

25,790
15
86
131

So I'd need to store the Password in a MySQL Database for it to be safe from people. Do the functions also stop the SQL injections I hear about all the time or is that something that I wouldn't have to worry about with the new functions? – May 29 '13 at 10:02
1

Great questions!! You store the **hash from the password** in the database, not the password itself to be safe. Glad you're actually wanting to do it the **right** way. You use PDO (or MySQLi, probably simpler at first) and [prepared statements](http://en.wikipedia.org/wiki/Prepared_statement) to prevent this. Again, there are simple tutorials all over the net and if you go into them with the intent on learning it, you'll do great. If you choose PDO, **[here's a good tutorial](http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers)**. – Jimbo May 29 '13 at 10:03
You don't need mysql (or any other database) for your password to be safe. Properly hashing the password is the important part here, not where it is stored. You could store the hashes in a `passwords.txt` file on your server (with proper file permissions and not web-accessible) and they will be as secure as being in the database. – Carlos Campderrós May 29 '13 at 10:08
@Jimbo Thanks for the link I've bookmarked it to read later when I get a chance. – May 29 '13 at 10:08
@CarlosCampderrós My post already explains that, although (honestly) not the preferred method, you can still do it using flat file. – Jimbo May 29 '13 at 10:09
jimbo your post quite explains it, but first @Loper324 response seems to assume that he needed a database to be safe, which is really not necessary for the safety (although very convenient for dealing with the data). – Carlos Campderrós May 29 '13 at 10:12
@CarlosCampderrós Fair point. Just trying to teach that the easy way is not always the best way ;) – Jimbo May 29 '13 at 10:13
@Jimbo I agree, I'd rather keep it all Server-side and keep it safe. – May 29 '13 at 10:15
Also @Jimbo I've only heard of that serialize what is it exactly, any tutorials or links? – May 29 '13 at 10:17
1

@Loper324 For any PHP functions, use the PHP manual (you can always find it by typing in google, for example, "PHP Serialize"). [Serialize](http://php.net/manual/en/function.serialize.php) just turns your data into a storable representation, you should try `var_dump(serialize($yourArray))` and see what it looks like. Just makes it storable. To get it back to how it was, you `unserialize()` it again. – Jimbo May 29 '13 at 10:18
@Jimbo I'll check into those tutorials and also get back to rewriting my code now to use the array with the username. For now I think I've got everything I'll need to last a good week of research and tutorials. Thanks for the help all of you. – May 29 '13 at 10:24

score 2 · Answer 2 · answered May 29 '13 at 09:48

2

Well yes and no.

PHP is a server side language so via the client no one can see the password.

BUT 1: if a hacker get access to the server your password aren't save and compromised. 2: a mistake is made and php files aren't see as php but text, so the server ouputs the PHP as text, again compromised

So in a meaning is it highly recommend to hash them atleast to be secure.

Then is the question of saving it in a php file. It has some problems. 1: not easy in use, with a database you can make nice searches etc 2: you load a (in time) huge array in php for only 1 value needed. Waste of memory

answered May 29 '13 at 09:48

MKroeders

7,562
4
24
39

So as long as I Hash the Password It can be safe from remote attacks. Only have to worry about people on a FTP or on my PC? (I'm running a local host website to test this) – May 29 '13 at 10:00
Well yes as long as you hash them it is safe (us a good hasing method, i use bcrypt). – MKroeders May 29 '13 at 10:03
I'm only just starting with things like this so I will try all of these methods. – May 29 '13 at 10:11

deceze · Answer 3 · 2013-05-29T13:25:15.040

For a small number of passwords, storing them in a file is perfectly feasible. You should just choose a sane array format, yours is... quite suboptimal. Also, as has been said, never store passwords in plaintext.

passwords.php

<?php

return array(
    'Bob' => '$2y$10$lwnevwevweuvuev...',  // hash of Bob's password
    ...
);

login.php

<?php

// include https://github.com/ircmaxell/password_compat functions
require_once 'lib/password.php';

$passwords = require 'passwords.php';

if (isset($_POST['username'], $_POST['password'])) {
    if (!isset($passwords[$_POST['username']])) {
        die('Invalid username');
    }
    if (!password_verify($_POST['password'], $passwords[$_POST['username']])) {
        die('Invalid password');
    }
    echo 'Hi there!';
}

As long as you store the passwords properly hashed using a robust algorithm, storing them in a file is hardly any more insecure than using a database. With the caveat that you should be really careful never to accidentally reveal the contents of that PHP file; a misplaced var_debug($passwords) or a misconfigured web server may make the password hashes publicly visible. In this case they're still hashed, but it's still better to keep them secret. Use a proven and user friendly library for hashing, like https://github.com/ircmaxell/password_compat.

I agree my setup for checking the username and password was rather crazy, I never thought to check it like that, I just jumped to the first thought I had with no planning other than to make a login script. — , May 29 '13 at 10:04

score -5 · Answer 4 · answered May 29 '13 at 09:49

-5

I think the most safe option is to use the md5() function. $fileuser[1] = md5($fileuser[1]); etc...

Convert everything to md5 and then you can compare the converted strings to each other for equality or unequality.

Hope i have helped.

answered May 29 '13 at 09:49

user2156064

21
1
3

2

How can one argue that md5() is safe... It seems like you to do some catching up w.r.t. security and hashing – Madsen May 29 '13 at 09:50
5

No. **Do NOT** use MD5. It's wide open to brute force attacks. Do a simple google for "why is md5 unsafe" or insecure, or something along those lines. I can't remember the numbers, but a powerful GPU can crack any MD5'd hash within minutes. – Jimbo May 29 '13 at 09:50
I agree with @Jimbo, [here](http://www.wired.co.uk/news/archive/2013-05/28/password-cracking) is a good article with the numbers I just happened to read today – juanreyesv May 29 '13 at 09:54
Funny how you guys spout nonsense without actually understanding *why* MD5 is labeled to be prone to brute force. Oh well, not everyone is blessed with the ability to think. – N.B. May 29 '13 at 09:57
And many are blessed with letting security experts figure out the security side, instead of rolling their own. – Jimbo May 29 '13 at 09:58

Can you safely store passwords in PHP?

4 Answers4