If you use a flat file for your password storage, make sure to put it outside your Web root. Proper permissions can be set on this file to allow your scripts to access it. As a default on UNIX systems PHP and the Web server run under the user "nobody." Using a flat file is fine for a small number of passwords, but if you have a lot of them a database is a better choice. You could also split your password storage: website usernames and passwords in a database and database access passwords in a flat file.

You also have the option of using the htaccess and htpasswd file if you are using the Apache Web server. Make sure to consult any documentation for your server for more information. Another good general net security resource is available at http://www.net-security.org/. Always keep up with the latest security updates and bulletins for any software you use on your site and apply the available patches promptly.

There are other encryption functions or add ons for PHP as well. Such as md5() or a two way PHP extension called Mcrypt. A good source for information about these or other PHP functions and features is in the PHP manual. You can access the PHP manual on line at http://us2.php.net/manual/en/index.php or through the PHP Freaks web site http://www.phpfreaks.com/.

Conclusion

Using crypt we have made password validation secure and easy. There was no need to ever expose the real password and the logged in user is now on their way to doing some work. Always consider all security measures available when you have important information to protect.