The password should not be stored as plain text, but you should only store the hash (sha1) of that password and then when validating, process the input the same way and test whether the two hashes are the same. Then keep the actual password somewhere else (like Keepass)
Something like :
$salt = 'bar'; // should be a longer, complicated string with extended chars
$user = 'user'; // stored user name
$hash = '0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33'; // stored password
$input_user = $_POST['txt_user'); // in this example, should be "user"
$input_pass = $_POST['txt_pass']; // in this example, should be "foo"
if ($user === $input_user && sha1( $input_pass . $salt ) === $hash) {
echo "Success!";
} else {
echo "Wrong password...";
}
You could even put that password string into a text file in the form of
user:0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33
and load that like
$rows = file('path/to/password.file');
$valid = false;
foreach ($rows as $line) {
list($row_user, $row_pass) = explode(':', $line);
if ($user === $input_user && sha1( $input_pass . $salt ) === $hash) {
$valid = true;
break;
}
}
if ($valid) {
echo "Success!";
} else {
echo "Wrong password...";
}
This way, your data is separated from the code and can easily be modified (from an IT, of course!). The file should be outside of your document root, obviously, or denied access via .htaccess file. Usually, any file starting with a dot are not allowed access.