Storing User-Pass logins in json file?

Question

I've been tasked with creating a system to this, the issue is I can’t store anything in a database as the server is set up ridiculously badly and basically any database related storage is unavailable for use.

So I came to the conclusion of storing any and all data in a json format. Now my issue is I need to store user credentials as access is only allowed to authorised users.

How would I go about storing these user credentials? Would I store them with one-way password hashes or should I use something like mcrypt_encrypt() & mcrypt_decrypt() respectively?

Encryption Function

function encrypt($string) {
        if (extension_loaded('mcrypt')) {
            return trim($this->base64_url_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $this->key, $string, MCRYPT_MODE_ECB)));
        } else {
            return false;
        }
    }

Decryption Function

function decrypt($string) {
        if (extension_loaded('mcrypt')) {
            return trim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $this->key, $this->base64_url_decode($string), MCRYPT_MODE_ECB));
        } else {
            return false;
        }
    }

And the following two base64 functions from here:

function base64_url_encode($input) {
        return strtr(base64_encode($input), '+/=', '-_,');
    }

    function base64_url_decode($input) {
        return base64_decode(strtr($input, '-_,', '+/='));
    }

I'd personally avoid having mutliple calls inside other calls, it makes it slightly harder to debug & read on the later, add some new lines with comments, it'll assist when looking back at the code — Daryl Gill, May 30 '14 at 02:23
It doesn't matter what storage mechanism you use (database, text file, etc.), you should never ever store plain-text or encrypted passwords. Always salt and hash them: http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords?lq=1 — jeroen, May 30 '14 at 02:25
@Dagon absolutely no way, the people before me set up the ugliest thing I've ever laid my hands on — Darren, May 30 '14 at 02:25
you know it just uses a flat file, no db engine needs be installed — , May 30 '14 at 02:25
As Darren says, always salt and hash them. Use[password_hash](http://docs.php.net/manual/en/function.password-hash.php) if you can, or the [compatibility library otherwise](https://github.com/ircmaxell/password_compat). — Oscar M., May 30 '14 at 04:39

score 4 · Accepted Answer · answered May 30 '14 at 02:27

4

Always use one way encryption when dealing with user passwords. The potential damages of an someone gaining access to your server and recovering passwords are just too great. I'd recommend a memory-intensive, multiple-round hashing algorithm such as bcrypt/scrypt.

If you must use JSON, store your passwords hashed, and then when a user logs in, rehash their password and compare.

{
 "users": [{
   "name": "john",
   "password": "sjh77DGGD..."
 }, {
   ...
 }]
}

answered May 30 '14 at 02:27

Jephron

2,652
1
23
34

1

Would it be better to store all possible logins in one file or have a file for each seperate user? – Darren May 30 '14 at 02:37
1

In your case it might actually make more sense to store them as separate files. If you're going to be reading a file every time someone logs in you might as well read a smaller file. This would be a lot easier if you were using SQLite. If you can store a json file can't you just store a .sqlite db file? – Jephron May 30 '14 at 02:47
Basically any `sql*` file, related anything is automatically removed. I have no access to the server at all so I have no choice but this really. – Darren May 30 '14 at 02:49
1

Ok, I understand. Sometimes we've all gotta work under crazy constraints :D – Jephron May 30 '14 at 02:51
Do you have to store any additional information about your users aside from just the passwords? – Jephron May 30 '14 at 02:52
luckily just username and passwords to prevent random people accessing! – Darren May 30 '14 at 02:53

Storing User-Pass logins in json file?

1 Answers1