|
Posted by Richard Lynch on 10/05/34 11:13
On Tue, April 12, 2005 4:40 am, trlists@clayst.com said:
[lots and lots of stuff, mostly valid, about Security being applied in
ratio with the data being protected]
I don't have the time to answer this point by point.
So I'll stick with some generalizations.
I have what I consider a MINIMUM standard level of security for any site
that asks for a password.
That would include:
Not storing the password *ANYWHERE* in clear-text.
Not in database.
Not in $_SESSION
Not in COOKIES
Not storing an encrypted username/password in $_SESSION/COOKIE if having
those values provides access. Because at that point, the encryption is
rather meaningless, as it's really a clear-text 32-character code that
happens to be the encrypted value of something secret, but the clear-text
32-character code gives the Bad Guy access, whether they know the secret
or not.
If your content/application/data is important enough to warrant a
username/password, then it should be important enough to secure with this
minimal level of security, IN MY OPINION.
The "tie-in" from a given user's session data should be ephemeral -- it
should expire within a short time frame.
It should also be un-guessable, like PHP's session IDs.
It should not, in and of itself, provide enough data for a Bad Guy with
the means to readily compromise an account on a long-term basis.
If users forget passwords, they should get new random passwords, with the
application/email directing them to change those passwords to memorable
(to them) but hopefully un-guessable (to Bad Guys) values.
Nothing I am recommending is significantly more difficult, nor complex,
then the alternatives you are presenting.
I would contend that anything less is simply a false sense of security,
provided to the un-informed, by using inherently insecure
username/password methodolgy.
The fact that 10 zillion sites are currently doing exactly that does not
make it "right".
You obviously disagree, and think everything is just hunky-dory in the 10
zillion sites that are leaking passwords to any Bad Guy with half a clue.
We'll simply have to agree to disagree on what is a minimal standard level
of security, and move forward.
--
Like Music?
http://l-i-e.com/artists.htm
Navigation:
[Reply to this message]
|