php - Is it safe to store non-encoded passwords in a folder with chmod 0700?
Let's say I've got an application where my "administrators" are able to see the regular users passwords easily. They can even change it, if they need to.
When a new user comes, the "admin" adds the user to the "system", and gives him the password he just typed. Then the user may change it.
If the user forgets his password, he asks the "admin", whose will be able to see it and tells him.
In that application, let's say the passwords are stored in files which are stored in a directory.
The "administrators" are using (let's name it easily…) "admin.php" to access to their administration interface.
Is it safe to choose not to encrypt the passwords but to chmod the directory to "0700", so that only the "admin.php" script can access/modify it?
If not, can you tell why it is not safe to store it in a "0700" folder?
Is a SQL database safer than a "0700" folder?
What is the best way to do?
The point of hashing passwords is so that nobody except the user themselves can know the password. Because the password is supposed to be secret, and the secrecy of that piece of information is the only form of security the user has.
By storing passwords in plaintext, you make it possible for people other than the actual user to know the password. That replaces the security of mathematical certainty (or at least probability) with the security of human fallibility, system configuration and business procedures. At least one of which is more likely to fail than math.
If your admins are reading the password back to users over the phone, they have basically already failed the procedure part. Sounds like your organisation isn't treating passwords as a form of security, but an inconvenience to work around to begin with, so… whatever I guess? ¯\_(ツ)_/¯
This isn't save at all. You should always use salted password hashing. There isn't a single excuse not to hash passwords.
Safe is a relative word. There's a degree of safety in that an admin's privilege level or a system acts as a security measure because it's a barrier to accessing that directory. Bypassing either of those grants direct access to those passwords, whereas that wouldn't be the case if they were hashed. Hashes are one way functions. Meaning that you can't derive the password unless you perform a rainbow table attack, which along with those two security barriers, further increases the attack cost for an attacker. And that, from an Information Security standards standpoint is a good security practice. That said, hashes aren't absolutely safe either. There are databases out there with hashes so the rainbow table cost can be avoided. So overall, it's less safe because they aren't using standard security practices.