Welcome Guest, Not a member yet? Register   Sign In
Saving Hashed Passwords in my database.php
#1

Looking for a way to store hashed passwords for my DB Connections in database.php file instead of plaintext.

Please let me know any examples.

Thanks,
Ashish
Reply
#2

Why? If somebody has access to your file system, they can investigate and find your DB credentials no matter where you put them, and no matter how you store them.
Reply
#3

(This post was last modified: 06-19-2017, 02:09 PM by natanfelles. Edit Reason: . )

I never did it but I believe that you can use Encryption Library.

But anyway, your encryption key will remain on the server. An attacker able to enter your server will surely be able to decode your passwords. The processing time will also increase due to having to decrypt the password every time you access the database. Maybe it's better to use a more reliable hosting.
Reply
#4

(06-19-2017, 07:35 AM)skunkbad Wrote: Why? If somebody has access to your file system, they can investigate and find your DB credentials no matter where you put them, and no matter how you store them.

Yeah I got your point but my employer doesn't want it to be saved as plain text. Hence, i was searching for the same.

Thanks for the Reply !
Reply
#5

(06-19-2017, 02:08 PM)natanfelles Wrote: I never did it but I believe that you can use Encryption Library.

But anyway, your encryption key will remain on the server. An attacker able to enter your server will surely be able to decode your passwords. The processing time will also increase due to having to decrypt the password every time you access the database. Maybe it's better to use a more reliable hosting.


Thanks Mate. But Searching for otherways.
I will use this if i have no other Options Smile
Reply
#6

https://defuse.ca/php-pbkdf2.htm

I adapted this class and put it in libraries. Easy to use!
Reply
#7

(06-19-2017, 02:08 PM)natanfelles Wrote: I never did it but I believe that you can use Encryption Library.

But anyway, your encryption key will remain on the server. An attacker able to enter your server will surely be able to decode your passwords. The processing time will also increase due to having to decrypt the password every time you access the database. Maybe it's better to use a more reliable hosting.

This library is not intended to be used for password handling, in fact you will see the note as soon as you begin to read the documentation. 

as of PHP 5.5.0 you can use password_hash to create a one way hash, and for verification you can use password_verify
Reply
#8

(06-21-2017, 02:50 AM)zashishz Wrote: Yeah I got your point but my employer doesn't want it to be saved as plain text. Hence, i was searching for the same.

Thanks for the Reply !

Why does your employer not want it to be saved as plain-text? It seems more like an issue of them not understanding the situation rather then a technical issue?

Perhaps them being more educated would be a better solution then trying to implement an ineffective technical solution that doesn't really solve the problem, as natanfelles said if the decryption key is on the server you don't gain any security benefits if your file system can be read and it does introduce overhead so you're gaining nothing but the costs are tangible.

What problem exactly are they trying to solve?
Reply




Theme © iAndrew 2016 - Forum software by © MyBB