Greetings jerrygarciuh,
From my point of view, it seems like you have two options: 1. Keep crypted passwords in the database, probably as a column in a user table. 2. Keep crypted passwords in a file outside the Web site directory. (IMHO, at no point should passwords be kept in clear text. Even if someone gets to the file, you should make them work for the passwords.)
With either option, I can get to the crypted password information (eventually) if I can read your scripts' code. So first thing is to protect your scripts from me. Check out Ovid's CGI Course for some great wisdom on this. One trick I've used recently is to invoke CGI::Application. Aside from the super-cool auto-use of CGI and HTML::Template, it also lets me build really stripped down CGI scripts with the bulk of the processing code in "application module" files housed outside the Web server document root. If a cracker was able to get the code to my script via http, he wouldn't be able to read off the location of any data files or the location/username/passwords to any database.
Now to the specific difference between option 1 and 2. With a database, you can't really hide a table (as far as I know with my limited knowledge). A file, however, could be hidden a few different ways. You could use the file system to lock the file in specific ways, or you create a symbolic link to the file.
Personally, if it was just me, I'd go with the database approach because it's simpler. I have my database allowing only local connections with authentication. So I feel fairly safe. However, I'm very not a security guru. Other will certainly have better/more informed ideas.
gryphon
code('Perl') || die;
In reply to Re: OT ~ Security: Why is Root More Secure Than mySQL?
by gryphon
in thread OT ~ Security: Why is a file outside the web root more secure than mySQL?
by jerrygarciuh
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |