...

View Full Version : Is it considered secure to store sensitive data in text files, if it is ENCRYPTED?



johnnnn
01-17-2010, 10:27 PM
I was just curious, is that a good idea? All sensitive data will be protected and encrypted via crypt(). Is this generally unsafe.

I was also considering saving the file as .php, and adding


<?php exit(); ?>

as the first line so nobody can even see the encrypted passwords, just a blank page.

Which way should I go with this?
Thanks!

Zoic
01-17-2010, 10:36 PM
Using "exit" on the first line will stop execution (and show a blank page) for not only people that view the page directly, but your scripts that read the files as well.

I highly recommend not using files to store sensitive information (such as passwords) even if they are encrypted. It would be best to store them in a database.

MattF
01-18-2010, 10:07 AM
File system storage has the exact same principles as database storage. Make sure passwords aren't stored in plaintext, (I'd use something a bit more robust for hashing, btw). With regards to whether it is less secure than storing them in a DB, the answer is no, provided access permissions and suchlike are correct. Don't save the files as .php files, btw.

sir.jones
01-18-2010, 05:38 PM
@ johnnnn
I always using for every thing stored in plain text. .ini .php .csv .inc or another similar. and i'm not say using flat file more secure than DB. but i believe both DB or plain text not secure in 100% blue proof.

i think i will say using plain text also safe = using DB. provided that you don't forget to encrypt the output data will be store to plain text especially password, used robots.txt to avoid search engine crawler, using .htaccess to avoid direct access. etc... using 0644 or at least 0755 for file permission better than 0777.

Regards

JAY6390
01-18-2010, 06:24 PM
Personally I always use the method of hasing passwords. You shouldn't store passwords at all. They're not needed, as you can always use a password reset function if it comes to it.

MattF
01-18-2010, 06:34 PM
Personally I always use the method of hasing passwords. You shouldn't store passwords at all. They're not needed, as you can always use a password reset function if it comes to it.

Hasing? If you don't store any passwords, how can you have a reset function for them?

JAY6390
01-18-2010, 06:38 PM
You store the hash, not the password...

Edit: I meant hashing not hasing, simple typo :)

MattF
01-18-2010, 06:43 PM
You store the hash, not the password...

Edit: I meant hashing not hasing, simple typo :)

Ah, that makes sense now. :D The penny just wouldn't drop before, no matter how many times I read your post.

Fou-Lu
01-18-2010, 06:57 PM
...how sensitive are you talking here?
First and foremost, this file should not be a published one. Period. Ensure that it is never in a location where it could be accidentally served by a webserver.

Second, the permissions of the file should be owned by you're user, and perhaps grouped to the account used for apache. 060 privileges.

Third, crypt is not a suitable encryption algorithm. Look into encryption with RSA or DES. Hashing is not an option if you need to reverse it in a timely manner. Should you be storing just a comparable value such as a password, hashing is fine. If you're storing credit card or financial numbers (be aware of the legalities involved with this), you must encrypt it, and you're encryption has to be at least as strong as required by financial institutes. Watch you're encryption strength as well; some countries do not allow general population to exceed a certain bit level on their cyphers.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum