Quote:
Originally Posted by Deej
ok, so is it fine and dandy to pull from a text file or passwd file as long as that file is properly protected as well... or is it much safer and smarter to pull from a database?
|
I see no real difference between a flat file (.htpasswd) or a relational database (MySQL)
per se in terms of security. The database may be a bit more secure if it's
used ONLY for authentication because it would be harder for crackers to read.
However if that same database is accessible to other scripts such as a CMS
than crackers may be able to read the database more easily than from a
flat file, or vice versa. So that's a wash if the database is used for anything else,
or is accessible using the same user name and password used for other
databases.
Probably the biggest real life difference which is a distinction between flat
file versus relational per se has to do with how each is commonly used.
Often, systems which use a relational database such as MySQL to store
passwords will store those passwords in plain text, unencrypted. That's a
big no no security wise. A flat file will typically use DES encrpytion, which
is better than no encrpytion, but it's pretty weak. So score half a point for
flat text (.htpasswd). Both flat text (.htpasswd) and relational (MySQL) CAN
be used with strong encryption. Whether or not you use effective encryption
is probably 100 times more important than whether you use flat text or reltional.