Password Protection

You have a member area on your website. Your customers can check their account information, see the status of orders, place new orders and more. Truly, this is a great system you have created.

Except of course, it isn't truly great until you ask the question: how secure is it? Do you know or did your web developer just tell you it was secure?

There are a lot of factors that go into securing your member area. For the sake of this article, let's focus on password protection - and the two main things to think about when it comes to passwords.

After all, the username/password system is usually the main tool used, or sometimes the only tool used, to let the people you want in and keep everybody else out of the secure area on your website.

First question: where are the passwords stored?

In general, most passwords should be stored into a database and, within the database, somehow associated with the username for that account. Databases, in general, are more secure because normal users don't have access to the database directly, only indirectly through the code. This means that you have more control over what the end user sees and can hide the passwords from plain site or accidental viewing.

What is the alternative to storing in a database? Well, in some cases, people use plain text or Excel files to store the passwords on the site and then use code to extract the files from the site. Those aren't secure at all. Try a Google search for “login: *” “password= *” filetype:xls and you'll be find passwords for several websites easily and quickly. Files on the site can be crawled by Google and once crawled there is very little you can do to prevent the content in that file from being revealed.

At a minimum, you need to know how your passwords are stored and you need to know that your passwords can't be found by a simple Google search.

Second question: how are the passwords stored?

I'd argue that the where question is the most crucial priority when it comes to passwords. A close second though is how the passwords are stored. For instance, if your password is "HiMom1", does it get stored as is, or "in the clear", with the password record simply saying "HiMom1"? Or does the password get encrypted? For instance would the password get converted into encrypted text so that the password record is "UvZbz1" instead of "HiMom1"?

Here is a better way to ask that question: if you have your passwords stored in a database, and you have that database secured, but somebody still manages to somehow access your passwords which would you prefer they see? Would you prefer the hacker sees the password as "HiMom1" or as the relatively useless "UvZbz1"? With "HiMom1" the hacker can login to your website right away but with the encrypted password the hacker would have to decrypt it first before gaining access.

It is worth noting that sometimes a hacker can decrypt your passwords so you want to make sure you are encrypting your passwords as best as possible to make it as hard as possible to decrypt. For example, the example encryption above uses the ROT13 encryption which is a pretty weak encryption method and not a method I'd ever recommend!

As usual, developing the website the right way, with a system that handles your passwords securely, will take more time but it is worth it to make sure your website is as secure and safe as possible.

If you want to make sure your passwords are being stored as safely and securely contact QW Consulting today.