Protecting the user ftp password

Hi,

I am adding a ftp signon to my software and plan to store that value using the php password_hash() function. My concern is that it may not mesh with how cpanel processes that data on the cpanel side of things for the users ftp account.

I don't need to know how cpanel does it, i just want to know if the ftp pw is submitted as a password_hash(), will cpanel accept the data as a pw hash. Users dont want to have to keep typing in their ftp information which is why i am adding this feature.

UPDATE: well i just ran a test with the hash and it did not work. Are we really suppose to send that pw over the request unhashed?

 

no sir i have not used the hash on filezilla or any of the third party ftp scripts. If the hash is created using php password_hash() then if the ftp account (same as cpanel to me because its under the cpanel software) accepts hash's then it should work, that sounds logical to me. This is why i say that cpanel or any of its derrivatives (ftp or otherwise) must not accept hashed content.

However for the sake of conversation i will recreate the hash and submit it via the manual connection for filezilla and see if it connect, but im really thinking it wont.

 

yes sparek exactly, i might as well just use nothing because anything i use that is one way is useless. In this day and age its hard for me to imagine the fact that any software still sends password data unhashed over a request, regardess how secure the request is. All pw should be hashed. At least give us the option like some attribute we can add to the ftp request to tell it that we are using hashed data and filter it accordingly.

OH but wait, i forgot!! The priority was forum eye candy not security... oh now i got it.

 

So why cant it work like a normal PW. Aside from the transmission part, the system takes what is entered and hashes it, if the hashes match then its a go, if not then its denied, there is no unhashing of it. We have that kind of security with other PW's so why not the FTP PW. Besides i cant be asking people that use my plugin to set up a different kind of ftp just because cpanel seems behind the times and sitting down on this one. Security in every way should be a priority, regardless.

Also dont forget im not asking to reinvent the wheel here, they dont have to take away the current process. Just add an alternative process for hashes, so we can call on that process when we need to.