The best way to store username and password without a database

Question

Hello everyone, I want to build a simple single user login "library" in PHP, but I'm facing the following dilemma: how should I store username and password if I'm not using a database?

A simple plain text file could be easily read and then the password could be easily decripted so that's not an option.

If I create a php file with just

<?php
    $Username= "username";
    $Password= "password";
?>

then no one should be able to read it and I could simply include this file where I need it, but I'm not really sure you can't find a better way to do this!

So what's, in your opinion, the best solution to this problem (and why)?

Thanks

Answer 1

You can store it in a file and use a SHA1/SHA2 hash, that way it can't be decrypted.

user:<sha1hash>
user:<sha1hash>
...

Answer 2

A plain text file is an option, and it's the simplest solution here. Simply hash the password (with salt). It is not reliably decryptable.

You can use PHP's md5 or sha1 hash functions for this.

Answer 3

• You can use a plain text file with a hash or crypt function. It's reliable but not really flexible if you have a lot of users.

• You can also use SQLite which is a database but which isn't a server and which is stored in a simple file. It's a nice compromise if you can't install a SQL server but want to store a lot users and have more flexibility.

• Depending on what you want to do, an .htaccess could be a good solution. It's already secure but as the plain text solution it's not rely flexible. But it's built-in almost all Apache configuration.

Answer 4

If you need multiple accounts, a plain text file would be easier than using a PHP source file. I think you're worried about people requesting the file through their browser though?

Check if your web host has some kind of directory that isn't publically accessible, for example a parent directory of where the actual web content is. PHP will usually be able to read and write there, but it won't be accessible through the web.

File permissions and/or .htaccess files (Apache) may help you if there is no such directory you have access to.

I suggest you use the crypt function to store the password (hash), rather than storing plain passwords. This is a separate issue from where you are storing them though :)

Answer 5

What is the purpose of having a username if there's only ever one user?

Might as well just manage permissions using .htaccess...

Answer 6

(This started out as a comment to Daniel DiPaolo, in response to Mokuchan.)

If you want to store a password (no matter the location), you use the following scheme:

$hashedPassword = $salt . hash( $salt . $password);

The storage location of the hashed password should be safe. Be it in a database or in a file with the proper permissions set.

If a file, your 'record' for the user bob with password secret would look something like this (using BCrypt Hash):

bob:$2a$05$tlk4M8WSpVkO7ER6QGxcwuY91MrBCQn.TCDZ5eOM1iz2sCChtR62K

There is no way for anyone to 'decrypt' the password. That's the whole point of using a Hashing algorithm: it is non-reversible.

You state that:

There are some tools that try to decrypt md5 and sha1, and at least in some cases they seem to work

As hashing algorithms are non-reversible, this is not possible. (There is no 'decrypt' option)

My best guess is that you are referring to a tool that looked up a hash from a precomputed table and it returned a valid input string, likely to be your password.
These tables are called rainbow tables. They can be defeated by A) using a random salt and B) using a strong hashing algorithm (BCrypt hash or SHA2-family hash for example)

Regarding improper hashing algorithms: MD5 and SHA1 are considered cryptographically broken. In other words: you should not be using them any more.

For a discussion on this, see: http://stackoverflow.com/questions/2768248/is-md5-really-that-bad

Answer 7

Ditto to all those saying you can encrypt the password.

Also, don't put the file in the document tree. Put the file somewhere else. Your PHP program should still be able to read it by specifying an absolute path or a relative path that goes ".." however many levels to work up the hierarchy and then to where the file is. (In Java apps, there's a WEB-INF directory that is convenient for storing this sort of stuff. I don't think there's anything like that in PHP -- it's been a while since I've done any PHPing -- but you can always just put the file completely outside your application's directory hierarchy.)

Answer 8

Do not reinvent the wheel, use this one http://pear.php.net/manual/en/package.fileformats.file-passwd.file-passwd-unix.php