How to safely store a password inside PHP code?

Question

How can I have a password inside PHP code and guarantee that no one viewing the page in the browser can retrieve it?

Is: <?php $password = 'password' ?> enough? Is there a better, more secure way of doing this?

Answer 1

That depends on the type of passwords you want to store.

• If you want to store passwords to compare against, e.g. having an $users array, then hashing is the way to go. sha1, md5 or any other flavor (here’s an overview)

  Adding a salt accounts for additional security, because the same password will not result in the same hash

  Update: password_hash uses a salted, strong one-way hash with multiple rounds.

• If you want to store passwords to connect to other resources like a database: you’re safest if you store your passwords outside your document root, i.e. not reachable by browsers. If that's not possible, you can use an .htaccess file to deny all requests from outside

Answer 2

Your PHP code will (baring configuration errors) be processed on the server. Nothing inside the <?php ?>; blocks will ever be visible on the browser. You should ensure that your deployment server will not show syntax errors to the client - i.e. the error reporting is set to something not including E_PARSE, lest a hasty edit of live code (admit it, we all do them :) leak some information.

Edit: The point about storing them in a file outside the document root to avoid exposure if your PHP configuration breaks is certainly valid. When I used PHP, I kept a config.inc file outside of htdocs that was required at runtime, and exported configuration specific variables (i.e. passwords).

Answer 3

Basic, probably not 100% watertight but enough for general purposes:

hash the password (use salt for added security) using your favorite algorithm, and store the hash (and the salt). Compare salted & hashed input with stored data to check a password.

Answer 4

If you can retrieve the password within PHP, then it is retrievable...

The only thing that you can do is to move you password to a "protected" location.

Most hosting companies will offer a separate location where you can place your DB files etc, and this location will not be accessible via the browser. You should store passwords there.

But they are still on your server, and when someone gets access to your box, then he has your password. (He gets to your PHP that has the way to decode it, and he has access to the protected file -> he can read it)

So there is no such thing as a "safe password"

The only option YOU have is to not STORE PASSWORDS for your users etc... I get mad if I subscribe to a service, and they offer to send me my password via email in case I forget it. They store it in a "retrievable way", and that's no something you should do.

That's where all the hashing and salting comes in. You want to veryfy that someone can access a resource. So you hash + salt the password, and store that in the DB for the USER who want to access the service, and when the user wants to authenticate you apply the same algorithm to create the hash and compare those.

Answer 5

As suggested, store the password sha1, salted and peppered

function hashedPassword($plainPassword) {
    $salt = '1238765&';
    $pepper = 'anythingelse';    
    return sha1($salt . sha1($plainPassword . $pepper));
}

and then compare the two values

if ($stored === hashedPassword('my password')) {
   ...
}

And if you can't store your hashed passwords outside of the server root, remember to instruct apache to forbid the access to that file, in your .htaccess file:

<Files passwords.config.ini>
  Order Deny,Allow
  Deny from all
</Files>

Answer 6

I generally do not trust raw PHP code for passwords for services. Write a simple PHP extension to release the password. This ensures that the working set is password free, and it makes it an extra step for a compromised machine to grant access to the hacker to the service.

Answer 7

The best way is to store password above your root directory. If you decide to have password in php file then no body would able to view because php files are excuted in the server. But if the server does not support php then those files will be delivered as text files and any one can see the password.

Answer 8

Let's say your password is "iamanuisance". Here's how to store the password in your code. Just slip this in your header somewhere.

//calculate the answer to the universe
${p()}=implode(null,array(chr(0150+floor(rand(define(chr(ord('i')+16),'m'),
2*define(chr(0x58),1)-0.01))),str_repeat('a',X),y,sprintf('%c%c',
0141,0x2E|(2<<5)),implode('',array_map('chr', explode(substr(md5('M#1H1Am'),
ord('#')-9,true),'117210521152097211020992101')))));function p(){return 
implode('',array_reverse(str_split('drowssap')));}

Just in case it's not completely obvious, you can then easily access the password later on as $password. Cheers! :P

Answer 9

PHP code blocks cannot be retrieved by clients unless they output something. Observe:

<?php
   if($password=="abcd")
       echo "OK";
   else
       echo "Wrong.";
?>

User can get either OK or Wrong nothing else.

Answer 10

There are noumerous ways of doing this. However, people will not be able to view the password you stored (as plain text) in a PHP file, since PHP is a server side language which means that, as long as you don't print it out to the browser, it will remain invisible.

So it's 'safe'.

Answer 11

Store the password encrypted. For example, take the output of:

sha1("secretpassword");

...and put it in your code. Even better, put it in your database or in a file outside of the web server's directory tree.