Is it ever ok to store password in plain text in a php variable or php constant?

Question

As per question, is it safe to store passwords on php pages such as

$password = 'pa$$w0rd';

If the users can't see it, it's safe, right?

EDIT: Some people actually suggested using hash, however, there would be a problem with database server connection password, wouldn't it?

score 34 · Accepted Answer · answered Feb 20 '09 at 08:13

The short answer is both No, and It Depends.

It's almost never a good idea to store passwords in plain text, especially in a web accessible location, if for no other reason than a simple server misconfiguration or an echo in the wrong place could expose it to the world.

If you MUST store a password, (which is possible) you could try to store it outside the webroot, eg /var/www/public_html/ Put your codez here
/var/www/includes/ Put your passwords here

Even better than that would be to have the system that you need the password for (eg a database wrapper ) return an object already instantiated. so rather than asking for $databasepassword you ask for a PDO object, and store your database classes outside the webroot.

The It Depends comes from what attack vectors would cause someone to have access to that password text, and would it require them to be already inside your filesystem, if so, you're probably screwed anyway.

Also, if its the password to your supa-secrit subscriber content, meh, all you've lost is some subscription fees, if its your database, you may have a problem, if it's your online banking details, um good for you.

How valuable is the thing the password is protecting?

Wouldn't during authentication to database server, password in plaintext is sent over tcp/ip? — Hao Wooi Lim, Feb 20 '09 at 18:43
Most shared hosting has local database running on loopback only, so not really a problem there. Also if you aren't on shared hosting, there are possibly less security issues to worry about re filesystem access etc. — garrow, Feb 21 '09 at 04:25
Even though strongly recommended to not use the same password on multiple sites, many people will do it anyway. If your users' passwords are revealed, their security/privacy might be compromised in other applications too. — felixbade, Nov 15 '14 at 22:34

score 9 · Answer 2 · answered Feb 20 '09 at 09:37

Depending on how you define safe, any approach has its positive and negative aspects.

If you really want to store a password in your source, it might be a good idea to do something of the sort:

File: config.php

if( ! defined('IN_CODE') ) die( 'Hacking attempt' );

define( 'PASSWORD_HASH', '098f6bcd4621d373cade4e832627b4f6' );

File: index.php

define( 'IN_CODE', '1' );

include( 'passwd.php' );

if( md5($password) == PASSWORD_HASH )
...

Plain-text is never a good idea, always store a hash of the password you want to store.

Furthermore, try to seperate defines like this from your main sourcefile.

score 7 · Answer 3 · edited Jun 20 '20 at 09:12

Usually they can't see it. But if something bad happens on server there's a big possibility that server will return your php code in plain text w/o executing it and therefore user will see all source of that file and also your password.

I would store password somewhere where it's not on document root (Cannot be open in browser) and then open that file with php and read the content (password). Or if you have multiple passwords/users, I'd store them in database for fast access.

If you want to use the file method directory layout should look something like this (depneds on server)

/public_html/index.php

/password.txt

$myFile = $_SERVER['DOCUMENT_ROOT'] + "/../password.txt";
if file_exists($myFile) { 
   $fh = fopen($myFile, 'r');
   $password = fgets($fh);
   fclose($fh);
} else die("No password file");
if ($user_input == $password) {
   ...... Authentication succeeded ..........
   ......your relatively protected code .....
} else die("Wrong password");

If you want even more security instead of storing password as text in that text file. Sore it's hash and then when you want to compare it with user input generate hash from the user input and compare it to the password's hash you loaded from text file

sha1($user_input) == $password_from_txt

Wow, I had forgotten that I answered PHP questions. Still interesting to see a downvote almost 6 years later w/o a comment. Also, geez, world was so different back then. — Maiku Mori, Feb 13 '15 at 11:15

score 2 · Answer 4 · answered Feb 20 '09 at 08:10

2

As long as your PHP installation works as it should, this is no less secure than any other method. I would prefer named constant (define) over variable. Additionally you might consider storing a hash of the password, instead of plain password. This prevents stealing your passwords even if the site is compromised.

As for being bad practice, it depends. If you need to store just one password, this approach is ok. Storing them outside document root may give a false feeling of extra security; the document root is no more absolute than any other setting of the server.

answered Feb 20 '09 at 08:10

Joonas Pulakka

34,943
25
103
165

2

I've seen sites dumping out php source as plain text. If that happens and file is outside doc root, even if everyone knows where the file is from source, they can't "simply" access it from broswer. – Maiku Mori Feb 20 '09 at 08:28
I do understand the idea of storing things outside docroot, and maybe it adds some security, but I think it is overrated. If the site dumps out php source, it is badly broken. And if it is broken, the docroot could also be something else than we wish - for example / – Joonas Pulakka Feb 20 '09 at 08:32
1

Storing stuff outside the webroot is no panacea, you cant be just printing variables out willy-nilly. But it does give you a separation that you can then enforce in your code, classes and init go outside webroot, presentation code goes inside webroot. – garrow Feb 20 '09 at 08:34

score 0 · Answer 5 · answered Feb 20 '09 at 08:08

0

Unless the site itself is compromised and now so are all the things those passwords grant access to (your DB, perhaps?).

answered Feb 20 '09 at 08:08

Lawrence Dol

59,198
25
134
183

score 0 · Answer 6 · answered Feb 20 '09 at 08:09

0

It depends how you define 'safe'.

You are right in that a general user won't see it.

However it is definitely a bad practice; if your site is compromised, what else will these passwords give access to? I'd say at a bare minimum you should be storing a hash of the password, not the plaintext.

answered Feb 20 '09 at 08:09

DanSingerman

34,397
12
76
92

How do you connect to a database if you only have a hash of the password? – Piskvor left the building Feb 20 '09 at 08:35
Yeah - if the password is for a database connection (the OP doesn't state it is) then that is tricky – DanSingerman Feb 20 '09 at 11:38

score 0 · Answer 7 · answered Feb 20 '09 at 11:49

0

Sometimes it just has to be f.e. for a mail application where you can only login with the plain password and not with a hash. And if your application doesn't have security issues it should not affect you.

answered Feb 20 '09 at 11:49

Thomaschaaf

17,014
31
90
122

score 0 · Answer 8 · answered May 12 '09 at 19:32

I belive that most of the times plain text password would be database password as MySQL, for exmaple, won't accept hash for authentication.

As mentioned before best solution is to keep PHP config file with password outside the webroot.

If you are worried that someone may see your password while you viewing the file you can simply make it unreadable for human using base64 funciton.

See this post for details and even small utility for Windows, Linux and Mac that makes it easier.

Is it ever ok to store password in plain text in a php variable or php constant?

8 Answers8

Linked

Related