WebSite X5Help Center

 
Jon B.
Jon B.
User

User names and passwords stored in plain text??? (Evo 14)  en

Author: Jon B.
Visited 2372, Followers 3, Shared 0  

I have set up users in the Access Management tab and uploaded website.  However, after going through some of the files, I noticed that the user names and passwords were stored in plain text in /res/access.inc.php.

Even though I have restricted access to this directory from web access, there is always the possibility of the server being breached and then all usernames and passwords being known.

Can this be done differently in Evo or does it require Pro in order to store this information elsewhere (and encrypted)?

Posted on the
3 ANSWERS
Incomedia
Claudio D.
Incomedia

Hello John,

The content of this file can only be read if you access via FTP and otherwise the data cannot be read since it is executed as PHP file.

The visitors of the website will never be able to read them.

Many thanks!

Read more
Posted on the from Claudio D.
John S.
John S.
User

Hello Jon

Storing log-on-information in a php-file is quite common.

Also database information/credentials is normally stored this way.

If you are very keen on security, you should be aware of your PC. If it is not password-protected or is kept alone, you should know that the /res/access.inc.php file is also on your PC. And here it can be accessed by anyone who knows where the file is, and has access to the PC.

Read more
Posted on the from John S.
Jon B.
Jon B.
User
Author

Thanks for your replies.  The concern is still the same.

The file exists in multiple locations: the server, server backups, local copy on any machine the website is worked on/tested on, any copy that happens to be stored remotely (cloud/flash drive).

Visitors might not be able to view this data, but anyone who gains access to these locations could.  This includes not only unauthorized access to the file (hacker/stolen laptop/lost thumb drive), but also somebody who has legitimate access to the file such as an employee.  A mis-configured server could also make it a downloadable file.

Best security practice is to encrypt all passwords.  My current project doesn't require users, so I am not worried about it at the moment, but I will certainly think about another way of implementing users if there is a need in the future.

Read more
Posted on the from Jon B.