www.webdeveloper.com
Results 1 to 6 of 6

Thread: Storing Private Data

  1. #1
    Join Date
    Oct 2005
    Posts
    593

    Storing Private Data

    Hi there,
    Im redesigning my previously designed explorer scout website (im 16) and we have decided that we would like to store the details of the explorers on the website so WE can accsess it anywhere we want. They have given us permission but now we come to secutiry... All of the people stored will be between 14-18... We will most likeley purchase an 128-Bit certificate but what else can i do to protect the data? I know the certificate will only encrypt the data, so it wont do alot if someone knows the password.. So any ideas on a very good password protection script? Of course i will have to make sure that the leaders only use this on there own computer as there may be spyware/keyloggers on public computers... All the data will be held in a database!

    Any ideas?
    Fet

  2. #2
    Join Date
    Nov 2006
    Posts
    197
    What about MD5?

    When password are entered into the dbase... md5($password) will encrypt the password thats in the database. When someone enters a password to access the data...

    if(md5($password) == tableName.passwordField) {
    // give 'em access
    } else {
    //deny
    }

    I dunno how you would ensure that access was made from a specific (leaders computer) computer if it's meant to be accessed anywhere.

  3. #3
    Join Date
    Oct 2005
    Posts
    593
    Cheers for that.. ill look into that! Any other suggestions?

    As for the leader thing.. I wasnt going to allow it only on specific computers, i was going to just supply a simple message on the login page requesting them not to log-in on a public computer for security reasons!

    Fet

  4. #4
    Join Date
    Nov 2006
    Posts
    528
    Honestly, I don't see the need for such high strength security on a scouting site. Unless you are including SSNs I doubt any information you are storing cannot be obtained publicly.

    Anyway, just to throw this out there for the sake of argument. There is a way to create a login system that is not prone to keylogging. Create an input system that relies upon the mouse. For example, you create a virtual "keyboard" on the screen and the user clicks on the letters/numbers to be entered into the password field.

    And, for those of you wanting to use the same security on public computers for sites that do not do this themselves, youu can use the built in "On Screen Keyboard" that is built into XP. Just go to start<run and enter "osk.exe"

  5. #5
    Join Date
    Sep 2006
    Location
    Europe
    Posts
    174
    Quote Originally Posted by mjdamato
    Honestly, I don't see the need for such high strength security on a scouting site. Unless you are including SSNs I doubt any information you are storing cannot be obtained publicly.
    It's this kind of cavalier attitude to personal data by organisations big and small that is exposing web users to the unscrupulous. It's fantastic to see that scottyrob is concerned with the security of the data he is storing whether or not others considered it to be important or not.

    scottyrob, having a secure login is only the first step. Using a one way hash to store passwords is important, as is only entering form data over an SSL connection.

    Even if a user is logged in don't presume that they are "trusted" when entering data or querying the database. That is, presume that anything submitted by a form on your site needs to be cleaned. Php has native functions for this such as addslashes().

    In terms of guarding against key loggers etc, encourage your subscribers to ensure that all of their operating system is up to date. Run virus scans regularly, use products such as SpyBot, ewido (now AVG anti-spyware), Spyware blaster. Above ensure that you update your browser and OS regularly.

    A very good login script can be found at evolt.org.

  6. #6
    Join Date
    Nov 2006
    Posts
    528
    Quote Originally Posted by Taschen
    It's this kind of cavalier attitude to personal data by organisations big and small that is exposing web users to the unscrupulous. It's fantastic to see that scottyrob is concerned with the security of the data he is storing whether or not others considered it to be important or not.

    scottyrob, having a secure login is only the first step. Using a one way hash to store passwords is important, as is only entering form data over an SSL connection.

    Even if a user is logged in don't presume that they are "trusted" when entering data or querying the database. That is, presume that anything submitted by a form on your site needs to be cleaned. Php has native functions for this such as addslashes().

    In terms of guarding against key loggers etc, encourage your subscribers to ensure that all of their operating system is up to date. Run virus scans regularly, use products such as SpyBot, ewido (now AVG anti-spyware), Spyware blaster. Above ensure that you update your browser and OS regularly.

    A very good login script can be found at evolt.org.
    My attitude is not cavalier. It is simply a matter of using the appropriate tool for the job. The more "security" you put into a solution the more likely it is to fail, have bugs, and be more of a nuisance to the users than they are willing to put up with.

    If you noticed I did give the OP another means to add security, so I didn't say not to increase security or say that it was stupid. I just gave my opinion and a suggestion.

    By the way, I happen to work for a software company that is a top provider of software to the Tax & Accounting industry in the US. We supply both desktop and web based products and I personally think that our security is not strong enough. It is a matter of the security being proportional to the value of the data being secured.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles