Frank Forte – Your Canadian Web Consultant » Protecting User Accounts

Jul

2013

Protecting User Accounts – Password Management

By Frank Forte

If you develop or manage a website, there are many reasons to take time and protect user data. Consider if your website is hacked:

In the case of eCommerce, fraud can be costly to the user and to the website owner.
It can cause privacy concerns and damage your brand.
It can allow hackers to spread viruses, send spam, and do a lot more damage through your website over long periods of time without you even knowing it.
You can be black-listed by search engines and email providers… making your website hard to find and preventing your emails from reaching any users.

Here are some tips to protect user accounts

To store user passwords:
The Password-Based Key Derivation Function, aka PBKDF2, allows you to store passwords securely, so that even if someone hacks into your database, it will be very difficult and time consuming for them to crack and steal passwords. This is important since many people re-use passwords!

To reset user passwords:
1) create a table with user_id, datetime, unique_hash
2) When a user requests to reset their password, create a unique hash, for example sha1(microtime().’random_salt’). Insert that value in the table and send an email to the user with a link that contains the hash.
3) when they click the link, check the table for the hash, if it exists, and it is within a time limit (e.g. 3 hours) let them reset their password. When the password is successfully reset, delete the hash.

To authenticate:
1) have a “password attempts” field that increments each time a login fails. If there are too many attempts (e.g. 10), even the right password should fail.
2) if there is a successful login (only before 10 attempts is reached) then the attempts should be set back to zero (this is also a good time to log the website access, including ip address, time, and user id- keeping track of website access is important in case an account is compromised.)
3) Once locked out, the only way to regain access should be with a password reset, usually done through email.
The above authentication logic thwarts brute force attacks. Even if a computer can try millions of passwords and guess the correct one, by the 11th attempt it will be locked out.

This entry was posted on Tuesday, July 9th, 2013 at 11:43 pm and is filed under Cyber Security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Protect Your Organization's Data

Do you lock your door? It is a simple step to protect your assets. Simple steps like this can also protect your data, and the personal information of your employees and customers. Frank Forte is keen on information security. He has experience implementing secure and efficient data flows within organizations, and could provide you with valuable advice and instructions to avoid costly data breaches.

Upgrade your Website

Are you worried about losing customers because your website is not as good as the websites of your competitors? Frank Forte can provide consulting on the best upgrade path.

Web Application Programming Services

Do your sales people wait for hours or days for internal staff to create quotes? Do you lose customers because they can't wait? Frank Forte can create web based applications to help your company be more efficient. Here are some other things that Frank can program for you:

Enhancing customer service with better e-commerce and fulfillment solutions.
Website quotation systems so customers can request quotes and your sales people can be notified to follow up immediately
Restricted area where employees can import thousands of products in multiple currencies in seconds from an excel (csv) file upload
Registration systems and surveys
A Customer Management System tailored to your business to track leads, forecast sales more accurately and become a more efficient business that can provide your customers (who happen to be more and more web savvy) with better service for many years to come.
Machine Learning tools to help you classify data and make predictions.

Please contact Frank for web consulting and development services.
Call 416-244-1554