in reply to Re: Best way to hide passwords. in thread Best way to hide passwords.
Actually, the best thing, really the only thing to
do is to make sure that your password file is not accessible
from the Web at all! Don't put it in a directory
that is served by Apache. Period.
There have been many historical cases of people downloading
your standard-issue '.htpasswd' file and running crack on
it, finding dozens of simple passwords such as 'bob/bob',
'joe/123' and many others that would surprise you. These
'hax0rz' can do many unpleasant things to your Web site,
and if you're not careful, there might be some system
accounts with the same password and login as on the
site...well, you know what happens next.
So, if your script is running in "/site/www", put your
data somewhere else, like "/site/data" which is not
served by Apache.
|