-2

Let's say I've got an application where my "administrators" are able to see the regular users passwords easily. They can even change it, if they need to.
When a new user comes, the "admin" adds the user to the "system", and gives him the password he just typed. Then the user may change it.
If the user forgets his password, he asks the "admin", whose will be able to see it and tells him.

In that application, let's say the passwords are stored in files which are stored in a directory.
The "administrators" are using (let's name it easily…) "admin.php" to access to their administration interface.

Is it safe to choose not to encrypt the passwords but to chmod the directory to "0700", so that only the "admin.php" script can access/modify it?
If not, can you tell why it is not safe to store it in a "0700" folder?
Is a SQL database safer than a "0700" folder?
What is the best way to do?

Takit Isy
  • 9,688
  • 3
  • 23
  • 47
  • 2
    why would you want to do that? aren't you using a database with prepared statements and `password_hash()` would really be the way to go here. – Funk Forty Niner Mar 01 '18 at 13:45
  • Usually it is **not** safe to store unencrypted password ;) – shadowsheep Mar 01 '18 at 13:45
  • 4
    it's not safe. The passwords should always be hashed, and the procedure for a user who forgot their password should always be for them to set up a new one. – Kasia Gogolek Mar 01 '18 at 13:47
  • @FunkFortyNiner Well, my "admins" aren't fond of php, databases and all that stuff… They need a really minimalist set of tools. – Takit Isy Mar 01 '18 at 13:47
  • 3
    *"Well, my "admins" aren't fond of php, databases and all that stuff"* - Well, they should be and those admins probably don't know what they're doing if they're asking you to post a question here. – Funk Forty Niner Mar 01 '18 at 13:48
  • in any case, if that folder/files isn't outside the public area, it should. Then, you/they could include the folder/files(s) in their call to whatever they want to do here. – Funk Forty Niner Mar 01 '18 at 13:51
  • @FunkFortyNiner: They're not asking me to post a question here. I am asking myself… to be sure about safety concerns. – Takit Isy Mar 01 '18 at 13:52
  • What a silly group of admins you have. How do they expect you'll verify passwords if you're not going to use some server-side language to perform the operation? Actually, I don't think they care how you do it - I think you're balking at setting it up properly. – Jay Blanchard Mar 01 '18 at 13:54
  • The best way? **Never store plain text passwords!** Please use ***PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)*** to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). ***It is not necessary to [escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Mar 01 '18 at 14:00
  • Considering security and companies, one should **always** think about the case of a fired admin that wants to revenge, or a guy in work experience that does a wrong manipulation. Password hashing solves naturally these cases. – Kaddath Mar 01 '18 at 14:32

3 Answers3

3

The point of hashing passwords is so that nobody except the user themselves can know the password. Because the password is supposed to be secret, and the secrecy of that piece of information is the only form of security the user has.

By storing passwords in plaintext, you make it possible for people other than the actual user to know the password. That replaces the security of mathematical certainty (or at least probability) with the security of human fallibility, system configuration and business procedures. At least one of which is more likely to fail than math.

If your admins are reading the password back to users over the phone, they have basically already failed the procedure part. Sounds like your organisation isn't treating passwords as a form of security, but an inconvenience to work around to begin with, so… whatever I guess? ¯\_(ツ)_/¯

deceze
  • 510,633
  • 85
  • 743
  • 889
0

This isn't save at all. You should always use salted password hashing. There isn't a single excuse not to hash passwords.

Maplicant
  • 1
  • 2
  • Except when the business can make a case for it being more productive for admins to read forgotten passwords back to the user instead of going through a reset procedure… ¯\\_(ツ)_/¯ – deceze Mar 01 '18 at 14:35
0

Safe is a relative word. There's a degree of safety in that an admin's privilege level or a system acts as a security measure because it's a barrier to accessing that directory. Bypassing either of those grants direct access to those passwords, whereas that wouldn't be the case if they were hashed. Hashes are one way functions. Meaning that you can't derive the password unless you perform a rainbow table attack, which along with those two security barriers, further increases the attack cost for an attacker. And that, from an Information Security standards standpoint is a good security practice. That said, hashes aren't absolutely safe either. There are databases out there with hashes so the rainbow table cost can be avoided. So overall, it's less safe because they aren't using standard security practices.

cyberjitz
  • 17
  • 1
  • 5