Site map Web ring Contact page Home page
Srpski

Passwords

Every web site handles some passwords, if not others, then administrator's password. Can be very unpleasant experience to let them reach into unwanted hands, so they need maximum protection. What all should be taken care of?

Encrypt passwords!

Plain (not converted) passwords should not be kept in the database! In my career, I witnessed cases where passwords for e-commerce sites are stored plain in database! The same goes for users credit card data! Unforgivable!
 
Passwords are mostly encoded using MD5 algorithm. This is one-way algorithm, which means that the encoded string can not be decoded to original. If the hacker somehow gets database content he still can not read users password, and therefore can not log on to the system.

 Applying  MD5 algorithm raises the level of security, but that is not enough! It often happens that administrators use a "weak" or often-used password (most usually used user name and password is the same word - "admin"). On the Net, there are passwords databases which containing their MD5 hashes (encoded values) too, so if they contain the md5 hash of your password getting very password is easy task.

Even if no database does not contain your password, if it consists only of 3-4 letters, will be relatively easy to find it.

The solution is to increase password. Prior to MD5 conversion add him string that consists of a very broad set of characters (i.e.. "e$f*(@%6&/") so decrypting would take too much time, making it practically impossible. 

There is a possibility that a password can be "predicted" (i.e. by seeing someone, typing password or by trying some meaningful names or dates). To handle cases of "lucky guesses" tehcniques of hacking so-called  lockout feature is used. After several consecutive unseccussful logins account is being locked.

And finally, to force useing stronger passwords it's possible to require that password consists of small and large letters, digits or contain special characters or to have at least N characters.

Following all of these rules will get yuo a pretty secure password system.

facebook digg del.icio.us myspace google reddit stumbleupon bookmarks icio live yahoo propeller mixx webnews misterwong yigg

Be first to put a comment

Loading...
© M.G.soft 2008-2010. All rights reserved.