2010/8/19 Andre Polykanine <an...@oire.org>: > Hello Nathan, > > Sorry, could you provide any links to read for a security noob?) > Actually, I know that the md5 is decryptable (there are bases with > words encrypted in md5), but I thought the SHA1 was secure... > -- > With best regards from Ukraine, > Andre > ----- Original message ----- > From: Nathan Rixham <nrix...@gmail.com> > To: tedd <t...@sperling.com> > Date: Thursday, August 19, 2010, 12:03:12 PM > Subject: [PHP] Re: How safe is a .htaccess file? > > tedd wrote: >> Hi gang: >> >> The subject line says it all. >> >> How secure is a .htaccess file to store passwords and other sensitive >> stuff? >> >> Can a .htaccess file be viewed remotely? > > Semi-safe, > > .htaccess is prevented from being served by configuration options (which > come as default), however these can be overwritten so best to check by > doing a GET on the resource URI. > > This doesn't prevent them from being exposed via other processes though, > for instance a poorly coded 'download.php?path=/path/to/.htaccess' could > still expose the file. > > Typically, its obviously better to store only a hash of a password > rather than the pass in plain text, choosing the strongest algorithm you > can; password security is of course relative though, a sha-512 of > 'password1' is far from secure. > > A good way to approach encryption for files is to openssl_seal them > using a public key which is only available to your application - this > doesn't negate insecure code, but it at least ensures the raw files are > encrypted securely enough to negate any of these worries. (just keep > your private key safe, preferably in a pkcs12 w/a strong 64char+ pass) > > Best, > > Nathan > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > Hi Nathan,
I'm not a crypto expert.. but I'll try to explain it: The weakness of MD5 is mainly because MD5 collisions are possible. That means, that different strings can have the same MD5-hash... When you use "test" as a secret password, then no hashing algorythm at can be considered as "safe". The first two passwords a cracker will try might be "1234" and "test".. No big deal. Databases of MD5-hashes exists. And so can exist Databases of SHA-* hashes. To get around these databases you can just "salt" your hash.. that way the Hash of the word "test" will not be the same as the hash in the database without *your* salt. No matter if you use MD5 or SHA256 $ echo -ne test | md5sum 098f6bcd4621d373cade4e832627b4f6 - $ echo -ne test-mySecretSalt | md5sum c62fb41567c476e36ba46e5b53ae6d59 - Only the first string will be available in a hash-database. So you see - as long as a cracker only get's your salted hashes WITHOUT the used salt, it's pretty safe.. as long as you don't think about ignore collisions! Back to topic: - as mentioned before the biggest risk in authentication via .ht* files is that one can try to get these files via a bug in an application.. (e.g. ?read_file=.htaccess%00) - that's why you don't want to use plain text-passwords in .htaccess files. most used is the htdigest algorythm. Be sure to use a STRONG password: long string with letter, numbers and more chars. - if you're curious, get a copy of "John the Ripper password cracker" and try to decode your passwords.. that's what the bad guys use once they get your .htaccess file. Regards Regards -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
