0

The first thing I ever read about $_GET is to never use it for passwords, but that's what I want to do.

There is an admin page, which should never be used by anyone except me and my wife. She's not very tech savvy, so if I give her a link with her password written into that link, it would be like giving her a key to a locked vault, but with one-click entry.

Supposing this link is only ever accessed from my computer and her computer, and no one ever has access to our computers, is her password safe?

(Our website uses iPage's servers, if that makes a difference.)

I'll set it up such that if the page is ever reached with no password, it will ask for a password, allowing her a way of accessing the page from non-secure computers.

Will this strategy work? Or have I just described a method that cannot possibly be secure?

Keep in mind, this page is just for updating the stock levels of a small shop. A hacker could be extremely annoying if they got in, but there is no way for them to steal any money from this page. So I don't need "reserve bank" level security here.

Jonathon Philip Chambers
  • 159
  • 7
  • 4
    Why don't you just use the browser's password auto-fill feature? – Barmar Jan 22 '18 at 17:21
  • 2
    Possible duplicate of [Should sensitive data ever be passed in the query string?](https://security.stackexchange.com/questions/29598/) and [Is it bad practice to use GET method as login username/password for administrators?](https://security.stackexchange.com/questions/147188). Also relevant [Hiding sensitive data in URIs](https://security.stackexchange.com/questions/144891). – Steffen Ullrich Jan 22 '18 at 17:48

0 Answers0