Are you telling me that you cannot look at "37b51d194a7513e45b56f6524f2d51f2" and see that the is the same as "bar"? ... Just kidding.
Thanks for the tip, that makes a lot of sense. "Andrew Chase" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > You could store passwords as MD5 hashes which of course is NOT really > encryption, but it would obfuscate the users' passwords. They would still > be vulnerable to social engineering ("Hmm, I'll try his wife's name, then > his dog's name, then his phone#," etc) and brute force ("I'm going to run > every word in the pspell dictionary through MD5 and see if anything > matches") attacks, but it would be better than plain text, at least. > > So, instead of > > <user> > <name>Foo</name> > <password>bar</password> > </user> > > you would have > <user> > <name>Foo</name> > <password>37b51d194a7513e45b56f6524f2d51f2</password> > </user> > > When 'Foo' tries to log in, you would just use MD5() on the password he > entered in the web form and compare it to the value in the XML file. If it > matches, he's in... otherwise, it's not the right password. > > I'm sure others will come up with more secure ideas, but anything is more > secure than passwords in plain text. :) > > -Andy > > > -----Original Message----- > > From: Chris Earle [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, July 10, 2002 9:42 AM > > To: [EMAIL PROTECTED] > > Subject: [PHP] Security with XML > > > > > > I've created a db like system with XML and PHP, and I want to require a > > username/password to change the contents of the file. > > > > How should I go about documenting the username/password? The contents of > > the site aren't really all to important (no financial info or > > anything like > > that, mostly just links actually), but I don't want someone's information > > stolen because someone found the "users.xml" file and opened it. > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
