One thing I would do, and I have done this in many of my applications:

   a) Store the username / password in a database.
   b) Encrypt passwords (with a salt) with AES-256 using a key stored in a
file OUTSIDE the document path.
   c) Add code to the beginning of the included file to ensure it is only
executed by approved files.


 if( 0 == preg_match( "/maplerunfarm-secure\/admin.php/",
     exit("Error: invalid inclusion of file. Please contact your system



-----Original Message-----
From: Jan G.B. [] 
Sent: Tuesday, August 24, 2010 9:09 AM
To: Andre Polykanine
Cc: Nathan Rixham; tedd;
Subject: Re: [PHP] Re: How safe is a .htaccess file?

2010/8/19 Andre Polykanine <>:
> Hello Nathan,
> Sorry, could you provide any links to read for a security noob?)
> Actually, I know that the md5 is decryptable (there are bases with
> words encrypted in md5), but I thought the SHA1 was secure...
> --
> With best regards from Ukraine,
> Andre
> ----- Original message -----
> From: Nathan Rixham <>
> To: tedd <>
> Date: Thursday, August 19, 2010, 12:03:12 PM
> Subject: [PHP] Re: How safe is a .htaccess file?
> tedd wrote:
>> Hi gang:
>> The subject line says it all.
>> How secure is a .htaccess file to store passwords and other sensitive
>> stuff?
>> Can a .htaccess file be viewed remotely?
> Semi-safe,
> .htaccess is prevented from being served by configuration options (which
> come as default), however these can be overwritten so best to check by
> doing a GET on the resource URI.
> This doesn't prevent them from being exposed via other processes though,
> for instance a poorly coded 'download.php?path=/path/to/.htaccess' could
> still expose the file.
> Typically, its obviously better to store only a hash of a password
> rather than the pass in plain text, choosing the strongest algorithm you
> can; password security is of course relative though, a sha-512 of
> 'password1' is far from secure.
> A good way to approach encryption for files is to openssl_seal them
> using a public key which is only available to your application - this
> doesn't negate insecure code, but it at least ensures the raw files are
> encrypted securely enough to negate any of these worries. (just keep
> your private key safe, preferably in a pkcs12 w/a strong 64char+ pass)
> Best,
> Nathan
> --
> PHP General Mailing List (
> To unsubscribe, visit:
> --
> PHP General Mailing List (
> To unsubscribe, visit:
Hi Nathan,

I'm not a crypto expert.. but I'll try to explain it:

The weakness of MD5 is mainly because MD5 collisions are possible.
That means, that different strings can have the same MD5-hash...

When you use "test" as a secret password, then no hashing algorythm at
can be considered as "safe". The first two passwords a cracker will
try might be "1234" and "test".. No big deal.

Databases of MD5-hashes exists. And so can exist Databases of SHA-*
hashes. To get around these databases you can just "salt" your hash..
that way the Hash of the word "test" will not be the same as the hash
in the database without *your* salt. No matter if you use MD5 or

$ echo -ne test | md5sum
098f6bcd4621d373cade4e832627b4f6  -
$ echo -ne test-mySecretSalt | md5sum
c62fb41567c476e36ba46e5b53ae6d59  -

Only the first string will be available in a hash-database.

So you see - as long as a cracker only get's your salted hashes
WITHOUT the used salt, it's pretty safe.. as long as you don't think
about ignore collisions!

Back to topic:
 - as mentioned before the biggest risk in authentication via .ht*
files is that one can try to get these files via a bug in an
application.. (e.g. ?read_file=.htaccess%00)
 - that's why you don't want to use plain text-passwords in .htaccess
files. most used is the htdigest algorythm. Be sure to use a STRONG
password: long string with letter, numbers and more chars.
 - if you're curious, get a copy of "John the Ripper password cracker"
and try to decode your passwords.. that's what the bad guys use once
they get your .htaccess file.



PHP General Mailing List (
To unsubscribe, visit:

Reply via email to