1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Passwords and security

Discussion in 'General Chat' started by french-webbie, Feb 13, 2009.

0
  1. #1
    I've been subscribing to affiliates programs a lot lately, and there's a thing that keeps happening again and again, about 9 times out of 10: the site sends me my password in full text in my emails.
    Nobody ever heard about security principles?
    A password should never be sent through email, furthermore to a "public service" like Gmail or Yahoo.
    It can seem a bit paranoid to most of you, but we're dealing with money here, which is as the same level to me as classified information to others.

    Is it that hard to implement a real secure process?
    Not at all. I know at least one affiliate program that does it perfectly (but I won't tell its name, don't want the others to be jealous).

    So what is a secure process when handling password?
    First of all, never store the password in full text in your databases. If you can send it through email, it means you don't even reach that basic level. A simple MD5 encryption with a specific salt for each user is a must. Even with a hacked or stolen DB, you'll have to break it for each user, so it doesn't worth the amount of work. In fact, I prefer to use a doubled encryption at that level, ie MD5(salt.MD5(password)), as the salt is stored in full text in the same record.

    So what if the user lose their password?
    In that case, you have to generate a new random password and a new random salt for that user. You send the new password in full text by email, but you give it a time window, ie this password can be used for one or two hours only. If the user tries to connect after the time is over, you recreate a new password and salt and start again.
    This is where the end user can feel some trust in your service. If you deal with that level of security for a mere connection password, everything behind must be clean too. And then we can do business.
    OK, I must admit I've seen that time window feature only once, but the nerd in me fell in love with it immediatly.

    And last of all, educate you users.
    That part really depends of the level of security of your application. It can be done by setting a minimum password length, by preventing the use of a simple word (by checking it against a dictionary), by having at least one non-alphanumeric character in it, or by forcing the user to set a new password (sometimes different from the last ten) every now and then (which is very boring for the user).

    That's all, folks. I do hope that one day I won't receive the excuse of "It's been a while since our last mailing, that's why we sent the password again." when asking about that information sent in plain text.
     
    french-webbie, Feb 13, 2009 IP
  2. Fresian2009

    Fresian2009 Peon

    Messages:
    5
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #2
    Very good points.
     
    Fresian2009, Feb 13, 2009 IP