User names and passwords stored in plain text??? (Evo 14)
Autor: Jon B.
Visitado 2382,
Seguidores 3,
Compartilhado 0
I have set up users in the Access Management tab and uploaded website. However, after going through some of the files, I noticed that the user names and passwords were stored in plain text in /res/access.inc.php.
Even though I have restricted access to this directory from web access, there is always the possibility of the server being breached and then all usernames and passwords being known.
Can this be done differently in Evo or does it require Pro in order to store this information elsewhere (and encrypted)?
Publicado em
Hello John,
The content of this file can only be read if you access via FTP and otherwise the data cannot be read since it is executed as PHP file.
The visitors of the website will never be able to read them.
Many thanks!
Hello Jon
Storing log-on-information in a php-file is quite common.
Also database information/credentials is normally stored this way.
If you are very keen on security, you should be aware of your PC. If it is not password-protected or is kept alone, you should know that the /res/access.inc.php file is also on your PC. And here it can be accessed by anyone who knows where the file is, and has access to the PC.
Autor
Thanks for your replies. The concern is still the same.
The file exists in multiple locations: the server, server backups, local copy on any machine the website is worked on/tested on, any copy that happens to be stored remotely (cloud/flash drive).
Visitors might not be able to view this data, but anyone who gains access to these locations could. This includes not only unauthorized access to the file (hacker/stolen laptop/lost thumb drive), but also somebody who has legitimate access to the file such as an employee. A mis-configured server could also make it a downloadable file.
Best security practice is to encrypt all passwords. My current project doesn't require users, so I am not worried about it at the moment, but I will certainly think about another way of implementing users if there is a need in the future.