security (store important info)

gca07738

when accessing my website , one must login first and be authenticated by a text file (passwd.txt).It stores some information ,e.g.account,password,authority...

And there is a management page for modifying account..,so the passwd.txt must be writable and readable.

But if one inputs "http://mysite/passwd.txt" and you know what's happening.

How can I keep this off?

LordShryku

Move the file outside of your web folder and have your scripts access it with the absolute path.

Oersoep

And encrypt your password using md5 or some other hash. There's no reason to keep it plain text is there?

LordShryku

Originally posted by Oersoep
And encrypt your password using md5 or some other hash. There's no reason to keep it plain text is there?

Good point, but read up on md5 first. It's not encryption, but one way hashing. Meaning, you can't recover a lost password. You can only change it...