php - symfony securing passwords in cleartext

  • (2 Pages)
  • +
  • 1
  • 2

16 Replies - 448 Views - Last Post: 06 November 2017 - 11:25 AM Rate Topic: -----

#1 salv236  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 42
  • Joined: 04-January 15

php - symfony securing passwords in cleartext

Posted 03 November 2017 - 10:28 AM

Using version 2.8 for the symfony framework i would like to be able to secure code that contains passwords in cleartext.
Is anyone aware of a solution?
Is This A Good Question/Topic? 0
  • +

Replies To: php - symfony securing passwords in cleartext

#2 modi123_1  Icon User is online

  • Suitor #2
  • member icon



Reputation: 13488
  • View blog
  • Posts: 53,864
  • Joined: 12-June 08

Re: php - symfony securing passwords in cleartext

Posted 03 November 2017 - 10:43 AM

Why would you want passwords in clear text?

Moved to PHP.
Was This Post Helpful? 0
  • +
  • -

#3 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3714
  • View blog
  • Posts: 13,469
  • Joined: 08-August 08

Re: php - symfony securing passwords in cleartext

Posted 03 November 2017 - 11:03 AM

Do you mean that you've got password stored in plain text that you want to encrypt? You'll need to pull them from the table, encrypt them, then save them, preferably to another field while testing!
Was This Post Helpful? 0
  • +
  • -

#4 salv236  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 42
  • Joined: 04-January 15

Re: php - symfony securing passwords in cleartext

Posted 06 November 2017 - 02:31 AM

View PostCTphpnwb, on 03 November 2017 - 11:03 AM, said:

Do you mean that you've got password stored in plain text that you want to encrypt? You'll need to pull them from the table, encrypt them, then save them, preferably to another field while testing!



Hi CTphpnwb,

yes the passwords are hard coded within PHP, i was recently appointed within a company to strengthen their security, i did see an article on the official symfony website where it mentions to use bcrypt however, i fail to understand where this only secures data within the database (i.e doctrine) or if it secures passwords that is hardcoded within the PHP code.
Was This Post Helpful? 0
  • +
  • -

#5 Skydiver  Icon User is offline

  • Code herder
  • member icon

Reputation: 5894
  • View blog
  • Posts: 20,114
  • Joined: 05-May 12

Re: php - symfony securing passwords in cleartext

Posted 06 November 2017 - 04:55 AM

Ack! Passwords embedded in source code ... in plaintext? What was the developer thinking? What happens if the company moves the code to a distributed source control system and one of the people working on the code decides to push to code up to Bitbucket or GitHub?
Was This Post Helpful? 0
  • +
  • -

#6 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3714
  • View blog
  • Posts: 13,469
  • Joined: 08-August 08

Re: php - symfony securing passwords in cleartext

Posted 06 November 2017 - 05:23 AM

View Postsalv236, on 06 November 2017 - 04:31 AM, said:

... if it secures passwords that is hardcoded within the PHP code.

It does not. I misspoke above: you need to hash the passwords, not encrypt them. Then you need to store the hash in your database. Then, when a user logs in, you need to check the user supplied password by hashing it and comparing to the database. Syfony can do much of that for you. See http://symfony.com/d...ogin_setup.html
Was This Post Helpful? 0
  • +
  • -

#7 salv236  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 42
  • Joined: 04-January 15

Re: php - symfony securing passwords in cleartext

Posted 06 November 2017 - 05:35 AM

View PostSkydiver, on 06 November 2017 - 04:55 AM, said:

Ack! Passwords embedded in source code ... in plaintext? What was the developer thinking? What happens if the company moves the code to a distributed source control system and one of the people working on the code decides to push to code up to Bitbucket or GitHub?


Hi Skydiver,

I was also in shock too when i discovered this, i notified the senior developer that this is bad practise so he wants me to find a solution that encrypts passwords that are, hard coded.

This post has been edited by salv236: 06 November 2017 - 05:48 AM

Was This Post Helpful? 0
  • +
  • -

#8 salv236  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 42
  • Joined: 04-January 15

Re: php - symfony securing passwords in cleartext

Posted 06 November 2017 - 05:53 AM

View PostCTphpnwb, on 06 November 2017 - 05:23 AM, said:

View Postsalv236, on 06 November 2017 - 04:31 AM, said:

... if it secures passwords that is hardcoded within the PHP code.

It does not. I misspoke above: you need to hash the passwords, not encrypt them. Then you need to store the hash in your database. Then, when a user logs in, you need to check the user supplied password by hashing it and comparing to the database. Syfony can do much of that for you. See http://symfony.com/d...ogin_setup.html



Thanks for sharing this with me however this is not what i require, im looking for something that secures passwords that are hardcoded within their code, i could of course
suggest that password are recorded in an alternative way :)
Was This Post Helpful? 0
  • +
  • -

#9 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3714
  • View blog
  • Posts: 13,469
  • Joined: 08-August 08

Re: php - symfony securing passwords in cleartext

Posted 06 November 2017 - 06:35 AM

When you find that unicorn let us know!

Let's say you've got this code:
$password = "letmein";

You could hash the password and change it to that hash:
$password = "hashed version of the password";

That will be somewhat more secure, but fixed passwords can never be as secure as a system where the passwords can be changed frequently, as a database allows.
Was This Post Helpful? 0
  • +
  • -

#10 astonecipher  Icon User is offline

  • Too busy for this
  • member icon

Reputation: 2330
  • View blog
  • Posts: 9,381
  • Joined: 03-December 12

Re: php - symfony securing passwords in cleartext

Posted 06 November 2017 - 08:12 AM

A senior developer said, find a way to secure a hardcore password. Where do you work? What is classified as senior, can spell it?
Was This Post Helpful? 0
  • +
  • -

#11 salv236  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 42
  • Joined: 04-January 15

Re: php - symfony securing passwords in cleartext

Posted 06 November 2017 - 08:18 AM

View Postastonecipher, on 06 November 2017 - 08:12 AM, said:

A senior developer said, find a way to secure a hardcore password. Where do you work? What is classified as senior, can spell it?


astonecipher the organisation is a startup, i possess an IT Security background with 9 years experience and now became a junior developer, the senior possesses 5 years of experience.

This post has been edited by salv236: 06 November 2017 - 08:18 AM

Was This Post Helpful? 0
  • +
  • -

#12 modi123_1  Icon User is online

  • Suitor #2
  • member icon



Reputation: 13488
  • View blog
  • Posts: 53,864
  • Joined: 12-June 08

Re: php - symfony securing passwords in cleartext

Posted 06 November 2017 - 08:58 AM

How many passwords are you talking about? It may be best to actually go through the code and pull out the passwords instead of patching it in some fashion to hide them on the client side.
Was This Post Helpful? 0
  • +
  • -

#13 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3714
  • View blog
  • Posts: 13,469
  • Joined: 08-August 08

Re: php - symfony securing passwords in cleartext

Posted 06 November 2017 - 09:56 AM

View Postsalv236, on 06 November 2017 - 07:53 AM, said:

Thanks for sharing this with me however this is not what i require, im looking for something that secures passwords that are hardcoded within their code, i could of course
suggest that password are recorded in an alternative way :)

Change could to should. The history of computer science is one of moving from specific use cases to abstraction. You wouldn't hard code the length of an array for iterating over it, right? You'd use foreach($arrayName as $key => $value) or for($i = 0; $i < count($arrayName); $i++), wouldn't you? What you're asked to do is wrong, not just because it's bad security. It's terrible software.
Was This Post Helpful? 0
  • +
  • -

#14 ArtificialSoldier  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 1829
  • View blog
  • Posts: 5,758
  • Joined: 15-January 14

Re: php - symfony securing passwords in cleartext

Posted 06 November 2017 - 09:58 AM

You only really need a single config file with a single password - the database password. You can store all of the other data in the database. I don't know how useful it would be to try to encrypt the database password, all of the information needed to decrypt it is on the server also.
Was This Post Helpful? 0
  • +
  • -

#15 Skydiver  Icon User is offline

  • Code herder
  • member icon

Reputation: 5894
  • View blog
  • Posts: 20,114
  • Joined: 05-May 12

Re: php - symfony securing passwords in cleartext

Posted 06 November 2017 - 11:02 AM

Although I advocate taking the hardcode password out of the source code and putting it into a config file, playing devil's advocate how is that anymore secure? If hacker gains access to the machine to be able to see the .PHP file contents, then the password is leaked. The same would be true for the configuration file. Of course, the classic security response is "if the hacker manages to gain control of the machine, then you have bigger problems."

To answer my own objections:
Typically, though, a way that a hacker gets access to the .PHP files of a site is due to a mis-configuration of Apache. Normally, this type of mis-configuration will only affect the public web directory and down. So if the configuration file is kept out of the public web directory, then the Apache mis-configuration in theory should not affect access to the configuration file -- the configuration file still cannot be served up.

Furthermore, it is easier to keep track of a single configuration file and know that it should not be put into source control, or if it is put into source control, that more care should be taken to ensure that no passwords are checked in.
Was This Post Helpful? 0
  • +
  • -

  • (2 Pages)
  • +
  • 1
  • 2