1

I have an xml file where I store all usernames and passwords. I want to check the xml file for authentication. But I need to keep the xml file secure. How should I do it?

HamZa
  • 14,671
  • 11
  • 54
  • 75
simplyblue
  • 2,279
  • 8
  • 41
  • 67

3 Answers3

2

If you're only using this for the purposes of authentication, you shouldn't store the password itself, but rather a salted hash of the password. You'd then compare the value the user entered after running it through the same process.

There are some good PHP specific tips in the existing How to hash and salt passwords question.

Community
  • 1
  • 1
John Parker
  • 54,048
  • 11
  • 129
  • 129
1

Don't store the plain passwords in the XML if possible.

A better way would be to store a hashed value (eg. using SHA-1) and later, when you're checking authentication has the given password again using the same algorithm and just compare if it's the same hash-value as you've stored in the XML file.

PHP even offers the function sha1() for this purpose.

Kosi2801
  • 22,222
  • 13
  • 38
  • 45
  • It's always possible to not store passwords in plain text. Plain and simple, don't do it! Passwords should always be encrypted in some way. Even base64 is better than plain text. – FreeAsInBeer Mar 06 '11 at 15:50
  • 1
    But be sure you understand the implications of the way, how you're storing the data. Obfuscating data makes the "readable" passwords go away, but only hinders inexperienced people. Either use real and proven encryption algorithms or store them in a way, where the data cannot be extracted anymore (like with hashing, as FreeAsInBeer suggested too). Sometimes there is no other way than to store the password itself, but then make it extra-sure that it's as hard as possible for attackers to regain the plain data. – Kosi2801 Mar 06 '11 at 16:02
1

You might want to consider storing a salted hash of the password instead of encryptint the entire XML file. This SO link contains a great explanation as well as links that should help you understand the process better.

Community
  • 1
  • 1
FreeAsInBeer
  • 12,937
  • 5
  • 50
  • 82