GetSimple Support Forum

Full Version: Question about security
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
i was wondering if it is save, to store a password inside a xml file, when its not encrypted (where the only security comes from the .htacces file who says "deny from all").

If it's not does anybody know how to store it encrypted but more important how to get it decrypted so i can use it.

summary: i need to store a encrypted password, and get it out of the xml and login to a site with a decrypted password. or is the .htaccess secure enough.

thanx
I am no pro at php but from what I have learned, it is never safe to decrypt a password.

I always encrypt the password before adding to a database and encrypt the password before being compared to the database.

For encryption I use MD5 I have heard that it has some weakness and can be hacked by any good hacker with a little bit of time on his hands but it has never been an issue for me so for now it works!
@OWS_Matthew
I know what you mean with the md5 encryption but thats within a system. What i want to do is store a password and than use that password for google analytics login. I've created a plugin for displaying google analytics stats at the backend. The only problem is the stored account information in the GSDATAOTHERPATH. How can i secure this.... is there another way to secure the data?
I have not done encryption in PHP myself (normally use md5 or sha1), but you should be able to do it through mcrypt_encrypt and mcrypt_decrypt.
If you a sure the XML-file is without reach of others by either making sure the server won’t send information about it (using HTACCESS) or by placing it outside the public_html folder of your server (this method would be more secure than HTACCESS) you have done all you can to make it secret.

Encrypting and decrypting automatically is often unnecessary. If the XML can only be reached by your script it means anyone that wants to steal it needs to get access to the server. If they have access to the server they can simply check the PHP script used for decrypting and decrypt the password.

As a rule of thumb, storing passwords is always a bad idea. If you must store it, encrypt it. If you must be able to decrypt it make sure this decryption happens somewhere else or needs you to manually input a password. If people have gotten access to your encrypted password, chances are they have gotten access to your decrypting script as well. Never have all decryption and encryption information stored in the same place!