How secure is it to store passwords in a non-accessible file?

Question

So, I was thinking about workarounds for saving passwords in text files (just because I'm curious), and I thought, what if I saved my file somewhere that is non-accessible? My server has a public_html folder where all of the code lies, however, I created a password text file on the same level as that (and not in the actual folder).

Right now, I'm thinking this is safe because you can't access it via the actual website and yet my code can still get information from it. However, how secure is this really? Is it really a step-up from storing it in the public_html file? What are some ways (sadly, to hackers, where there is a will, there is a way) somebody could exploit a file that isn't publicly accessible?

If the files contain plain-text sensitive information, it's still not safe, e.g. a simple LFI could reveal the files contents — game0ver, Mar 19 '18 at 00:33
What are the passwords for? User logins? Remote services? Other? — Neil Smithline, Mar 19 '18 at 13:57
An attacker could try downloading "passwords.php.bak" if it's inside public_html, maybe they'll get lucky. — Jasen, Mar 20 '18 at 02:40

score 3 · Accepted Answer · answered Mar 19 '18 at 03:46

Depends on what passwords you're talking. Using Wordpress as an example, wp-config.php contains the DB Username and Password.

It's generally accepted good practice to move the file to a non web-accessible folder (i.e. outside public_html). That way, a catastrophic php failure, won't lead to someone being able to view your password by just visiting yoursite.com/wp-config.php

However, those are DB usernames and passwords -- not Wordpress Username and passwords. The Wordpress user credentials are stored in the Database (and they're hashed). Wordpress needs to store these DB credentials somewhere, and by definition it can't be in the DB (you can't store something till you connect to it).

If a hacker managed to get Code-Execution on your Wordpress box (sadly this isn't as rare as you think). Then the hacker could simply browse to any viewable folder and view the files that has the passwords (whether that's in Public_HTML or anywhere else) -- log onto the DB, and get the hashes. Then she could either, find the plaintext password by brute-forcing it on her local machine, or just update the Hash in the DB to something she knows.

In short though, storing DB credentials in files on a server, in a non web-accessible folder (outside public_html) is OK. You shouldn't store application credentials (or any other credentials) on any folder on the server.

How secure is it to store passwords in a non-accessible file?

1 Answers1

Linked