Just out of curiousity, which is safer: storing hashed/encrypted passwords in a database of txt file?
I've been looking into writing a flat file script, alternatively, I was wondering if it would be safe to create a file called config.php, chmod it to 666 amd from the control panel 'build' the file contents and write it to the config.php file -- or edit it manually.
Which way should I go with this?
Use MySQL (database) ... not only the safest, but easiest too.
speaking from hard-learned experience - use a database. HAd I done that when advised, I would be miles ahead of where I am now.
ALways Always DB! Txt file can be opened by anyone then they can use a brute forcer like John the Ripper to break the password. ALWAYS USE DB!! ha ha a little too much there
But it's the truth always use DB. Then either encode in SHA or MD5 inside DB. That way it's safer.
But never store in TXT file! Anyone can open it, not safe at all.
Not only will it be more secure but it will be more efficient and more dynamic. If you stored it in a txt file you would have to iterate through every line until you found the specific user. With a DB it utilizes (generally) a binary search and will, in most cases, find it faster and with less resources.
Beyond that security is huge. Even with storing in a database you should still hash the passwords to protect but your site and your users. I would recommend using the SHA-2 hashing function as things like SHA-1 and MD5 can be cracked.
I agree, but FYI, all three of those can be cracked, even SHA-2 can be cracked. They are all one-way hash based encryption routines, and even though they are a "one-way" (meaning they cannot be un-encrypted back to original) hash encryption they can be brute forced using a comparison hacking program like Jack the Ripper or another such program. All can be hacked if you can get the encrypted version to compare against. "Quoted from Applied cryptography by Bruce Schneier"
Originally Posted by ShaneC
So in short they are harder to crack but can still be cracked. But for better security do it the way we just stated man. Security is the key.
Hashing along with salting, and making sure users enter strong passwords will be pretty secure.
if you want to store your password automatic you can create database for your password and all passwords store automatically.