Reply to Re: [PHP] Storing password in cookie

Your name:

Reply:


Posted by Richard Lynch on 10/01/34 11:13

On Tue, April 12, 2005 4:40 am, trlists@clayst.com said:
[lots and lots of stuff, mostly valid, about Security being applied in
ratio with the data being protected]

I don't have the time to answer this point by point.

So I'll stick with some generalizations.

I have what I consider a MINIMUM standard level of security for any site
that asks for a password.

That would include:
Not storing the password *ANYWHERE* in clear-text.
Not in database.
Not in $_SESSION
Not in COOKIES

Not storing an encrypted username/password in $_SESSION/COOKIE if having
those values provides access. Because at that point, the encryption is
rather meaningless, as it's really a clear-text 32-character code that
happens to be the encrypted value of something secret, but the clear-text
32-character code gives the Bad Guy access, whether they know the secret
or not.

If your content/application/data is important enough to warrant a
username/password, then it should be important enough to secure with this
minimal level of security, IN MY OPINION.

The "tie-in" from a given user's session data should be ephemeral -- it
should expire within a short time frame.

It should also be un-guessable, like PHP's session IDs.

It should not, in and of itself, provide enough data for a Bad Guy with
the means to readily compromise an account on a long-term basis.

If users forget passwords, they should get new random passwords, with the
application/email directing them to change those passwords to memorable
(to them) but hopefully un-guessable (to Bad Guys) values.

Nothing I am recommending is significantly more difficult, nor complex,
then the alternatives you are presenting.

I would contend that anything less is simply a false sense of security,
provided to the un-informed, by using inherently insecure
username/password methodolgy.

The fact that 10 zillion sites are currently doing exactly that does not
make it "right".

You obviously disagree, and think everything is just hunky-dory in the 10
zillion sites that are leaking passwords to any Bad Guy with half a clue.

We'll simply have to agree to disagree on what is a minimal standard level
of security, and move forward.

--
Like Music?
http://l-i-e.com/artists.htm

[Back to original message]
Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация