Website signup, account activation, security, etc
Hi Experts,
I'm working on a web-based system (written in Perl with MySQL) for organisations, which (among other things) is basically an online contact directory, where:
- Each organisation has an administrator (or several).
- Members sign up on paper (privacy policy, etc) and their administrator enters their details into the system.
- If a member then wants to be able to login (not all will), they ask the administrator to activate their account.
- The administrator activates an account by finding that member's record, and selecting the "activate" option.
- Activation automatically sends the member an email (to their listed address) containing either:
- A soon-to-expire (long & cryptic) activation link, or possibly even
- A soon-to-expire single-use password, which must be changed at login. (I haven't decided which of these options to use yet.)
- If the email expires before use, the member can ask the administrator again.
- Once an account is activated and in use, if a member (or hacker) gives the wrong password for a particular account more than say 5 times, then the account is locked. This would send an email to the owner (and possibly the administrator). Unlocking would either be:
- Automatic (after an hour or so), or
- Manual (by the administrator). (I haven't decided which of these options to use yet.)
- I might also try to detect/defeat hack attempts over multiple user accounts. Not sure of the best way yet - perhaps by IP address, or user agent, but I believe both these can be tampered with.
- I might also try to defeat brute-force password hack attempts by making responses slower and slower after password failure.
The reason for the members not registering themselves online is, I want to minimise the chance of outsiders signing up as if they are members, as this could enable them to see other people's private data. Unfortunately, this means details have to be typed in from the paper copy, by the administrator, which could introduce typos.
I'm currently not planning to use a secure (https) site, because:
a) I'm not sure it is worth the security certificate fee (I'm not dealing with financial data, but there is contact info which does concern me somewhat),
b) I'm not yet convinced the risks are high enough (how can a "sniff" such data?),
c) I'm not sure whether I have to change my code to allow for this (would I)?
I understand that some webhosts allow their customers to use a (free) "shared" certificate, but my webhost doesn't, and I'm not planning to move.
Q1. Any comments/suggestions on making the sign-up process better and/or more secure?
Q2. Any comments/suggestions on making the account activation (for login-ability) process better and/or more secure?
Q3. Any comments/suggestions on my security certificate comments/questions above?
Q4. Any comments/suggestions on making any of this stuff better and/or more secure?
My webhost uses cPanel on Linux with Apache.
Thanks.
tel2
I'm working on a web-based system (written in Perl with MySQL) for organisations, which (among other things) is basically an online contact directory, where:
- Each organisation has an administrator (or several).
- Members sign up on paper (privacy policy, etc) and their administrator enters their details into the system.
- If a member then wants to be able to login (not all will), they ask the administrator to activate their account.
- The administrator activates an account by finding that member's record, and selecting the "activate" option.
- Activation automatically sends the member an email (to their listed address) containing either:
- A soon-to-expire (long & cryptic) activation link, or possibly even
- A soon-to-expire single-use password, which must be changed at login. (I haven't decided which of these options to use yet.)
- If the email expires before use, the member can ask the administrator again.
- Once an account is activated and in use, if a member (or hacker) gives the wrong password for a particular account more than say 5 times, then the account is locked. This would send an email to the owner (and possibly the administrator). Unlocking would either be:
- Automatic (after an hour or so), or
- Manual (by the administrator). (I haven't decided which of these options to use yet.)
- I might also try to detect/defeat hack attempts over multiple user accounts. Not sure of the best way yet - perhaps by IP address, or user agent, but I believe both these can be tampered with.
- I might also try to defeat brute-force password hack attempts by making responses slower and slower after password failure.
The reason for the members not registering themselves online is, I want to minimise the chance of outsiders signing up as if they are members, as this could enable them to see other people's private data. Unfortunately, this means details have to be typed in from the paper copy, by the administrator, which could introduce typos.
I'm currently not planning to use a secure (https) site, because:
a) I'm not sure it is worth the security certificate fee (I'm not dealing with financial data, but there is contact info which does concern me somewhat),
b) I'm not yet convinced the risks are high enough (how can a "sniff" such data?),
c) I'm not sure whether I have to change my code to allow for this (would I)?
I understand that some webhosts allow their customers to use a (free) "shared" certificate, but my webhost doesn't, and I'm not planning to move.
Q1. Any comments/suggestions on making the sign-up process better and/or more secure?
Q2. Any comments/suggestions on making the account activation (for login-ability) process better and/or more secure?
Q3. Any comments/suggestions on my security certificate comments/questions above?
Q4. Any comments/suggestions on making any of this stuff better and/or more secure?
My webhost uses cPanel on Linux with Apache.
Thanks.
tel2
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Dave,
In the case of the webhost, I assume a network engineer (with root access to the Linux box) would be able to copy the entire database if (s)he wanted to, regardless of SSL. Not so at the ISP end, of course.
Can the data be read from outside of the ISP and webhost facilities?
(Obviously on the end-user's network/device it could be, but on the device I don't know how much SSL would help limit access here.)
In the case of the webhost, I assume a network engineer (with root access to the Linux box) would be able to copy the entire database if (s)he wanted to, regardless of SSL. Not so at the ISP end, of course.
Can the data be read from outside of the ISP and webhost facilities?
(Obviously on the end-user's network/device it could be, but on the device I don't know how much SSL would help limit access here.)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK, thanks Dave.
padas, I think you've answered Q1, but I don't think you've answered Q2. Have another read of my original post to understand my activation suggestions better.
Does anyone have any comments/suggestions re my suggested activation process (i.e. allow those who want to login, to be able to do so). Some people will not want to login (they will just use the hard-copy contact directory). What are the pros/cons of sending a link vs. password in the ways I have suggested. Any better options?
Thanks.
padas, I think you've answered Q1, but I don't think you've answered Q2. Have another read of my original post to understand my activation suggestions better.
Does anyone have any comments/suggestions re my suggested activation process (i.e. allow those who want to login, to be able to do so). Some people will not want to login (they will just use the hard-copy contact directory). What are the pros/cons of sending a link vs. password in the ways I have suggested. Any better options?
Thanks.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks very much for all that, padas,
Here are my responses to some of your numbered points.
2) Currently I use MD5 to encrypt the passwords (but I'm the only login-activated user at this point). I have read some issue with collisions with MD5 but I didn't really understand it and wondered if it matters in my case, since I'm going to be locking accounts out after maybe 5 failed login attempts, anyway. What say you about this?
5) In my original post I've suggested a couple of ways I might do this (email a link or password, both of which have a short expiry time). What are your comments on those?
6) If using SSL is a must for a site like this, why do you think huge sites like EE don't use it (except, presumably, for taking payments)? I doubt they'd want outsiders hacking user/expert accounts, even if money was not involved. It would soon give EE a bad name.
7) I'm not running my own server. As mentioned, I'm using a webhost, so I don't think I can do many of these things. When you say "directory browsing turned off", I've got "Options -Indexes" set in .htaccess of my public_html dir. Will that do?
And yes, I have considered making it so my system automatically locks out IPs from apparent hackers. But they can then fake a different IP, correct?
Any answers to my questions above would be appreciated.
And I still want to know:
a) If using SSL would require me to change my code significantly.
b) If using SSL would significantly slow down my site's performance.
Thanks.
tel2
Here are my responses to some of your numbered points.
2) Currently I use MD5 to encrypt the passwords (but I'm the only login-activated user at this point). I have read some issue with collisions with MD5 but I didn't really understand it and wondered if it matters in my case, since I'm going to be locking accounts out after maybe 5 failed login attempts, anyway. What say you about this?
5) In my original post I've suggested a couple of ways I might do this (email a link or password, both of which have a short expiry time). What are your comments on those?
6) If using SSL is a must for a site like this, why do you think huge sites like EE don't use it (except, presumably, for taking payments)? I doubt they'd want outsiders hacking user/expert accounts, even if money was not involved. It would soon give EE a bad name.
7) I'm not running my own server. As mentioned, I'm using a webhost, so I don't think I can do many of these things. When you say "directory browsing turned off", I've got "Options -Indexes" set in .htaccess of my public_html dir. Will that do?
And yes, I have considered making it so my system automatically locks out IPs from apparent hackers. But they can then fake a different IP, correct?
Any answers to my questions above would be appreciated.
And I still want to know:
a) If using SSL would require me to change my code significantly.
b) If using SSL would significantly slow down my site's performance.
Thanks.
tel2
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Days later...
Thanks for all that, padas, and sorry for the delay in responding. I think we're nearly there, but your comments raise some issues that I'd like to understand, please.
Encrypting passwords
OK - thanks for that, especially the links. It looks as if SHA-512 would take longer to hack than MD5. I assume that if I add to SHA, my own bit (or even byte) of transforming the encrypted data, then that could make it even harder for a hacker, because they could no longer rely on standard cracking tools. Any thoughts on this?
Link verification
> Ease of use vs more secure. A soon-to-expire single-use password, which must be changed at login sounds good.
How is that more secure than an equally soon-to-expire activation link, (which also requires a password to be entered)? This is what I', trying to understand.
using SSL
> I have already answered this.
In general terms you may have, but probably not in a way that allowed me to understand it to my satisfaction.
> As far as EE ... try clicking on log in without entering a pass and you get to the actual log in page.
It's a bit academic now, but out of interest, do you think normal first-time-successful logins at EE use SSL? The URL doesn't contain "https" during the normal login process. Any ideas what's going on here?
> I'm not sure why you keep questioning this.
To get a level of understanding of it that satisfies me. I don't always believe or do things just because someone says it. I like to see that it "adds up" to me (not just to someone else), first.
Server
> Nothing is 100% secure.
I know/agree, but what I was trying to ask was, does setting "Options -Indexes" in public_html/.htaccess achieve the "directory browsing turned off" thing you mentioned?
Thanks again.
tel2
Thanks for all that, padas, and sorry for the delay in responding. I think we're nearly there, but your comments raise some issues that I'd like to understand, please.
Encrypting passwords
OK - thanks for that, especially the links. It looks as if SHA-512 would take longer to hack than MD5. I assume that if I add to SHA, my own bit (or even byte) of transforming the encrypted data, then that could make it even harder for a hacker, because they could no longer rely on standard cracking tools. Any thoughts on this?
Link verification
> Ease of use vs more secure. A soon-to-expire single-use password, which must be changed at login sounds good.
How is that more secure than an equally soon-to-expire activation link, (which also requires a password to be entered)? This is what I', trying to understand.
using SSL
> I have already answered this.
In general terms you may have, but probably not in a way that allowed me to understand it to my satisfaction.
> As far as EE ... try clicking on log in without entering a pass and you get to the actual log in page.
It's a bit academic now, but out of interest, do you think normal first-time-successful logins at EE use SSL? The URL doesn't contain "https" during the normal login process. Any ideas what's going on here?
> I'm not sure why you keep questioning this.
To get a level of understanding of it that satisfies me. I don't always believe or do things just because someone says it. I like to see that it "adds up" to me (not just to someone else), first.
Server
> Nothing is 100% secure.
I know/agree, but what I was trying to ask was, does setting "Options -Indexes" in public_html/.htaccess achieve the "directory browsing turned off" thing you mentioned?
Thanks again.
tel2
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks again for all that, padas.
> Is this basic contact info or are you a health care provider or bank?
Basic contact info for a contact directory for churches.
> If you read through the article and it will make more sense.
Thanks. I read a lot of it last week and intend to read the rest soon.
>>> I have already answered this.
>> ...not in a way that allowed me to understand it to my satisfaction.
> What part do you still need help on?
Not much now, thanks. I was talking about previously. But see my one outstanding question at the bottom of this post.
> Don't copy your neighbor because they are probably doing it wrong.
My moto is not much different from that, and don't worry - I'm not planning to just copy of EE or anyone else without good reason, which is part of the reason I've been trying to understand the need for SSL. I'm pretty clear on that now, though. As I said re EE, "It's a bit academic now, but out of interest...".
> does setting "Options -Indexes" in public_html/.htaccess achieve the "directory browsing turned off" thing you mentioned?
I'm not sure that your response to the above has given me a direct answer to this. If you could give me a "yes" or a "no + explanation" answer, that would be good.
Thanks.
tel2
> Is this basic contact info or are you a health care provider or bank?
Basic contact info for a contact directory for churches.
> If you read through the article and it will make more sense.
Thanks. I read a lot of it last week and intend to read the rest soon.
>>> I have already answered this.
>> ...not in a way that allowed me to understand it to my satisfaction.
> What part do you still need help on?
Not much now, thanks. I was talking about previously. But see my one outstanding question at the bottom of this post.
> Don't copy your neighbor because they are probably doing it wrong.
My moto is not much different from that, and don't worry - I'm not planning to just copy of EE or anyone else without good reason, which is part of the reason I've been trying to understand the need for SSL. I'm pretty clear on that now, though. As I said re EE, "It's a bit academic now, but out of interest...".
> does setting "Options -Indexes" in public_html/.htaccess achieve the "directory browsing turned off" thing you mentioned?
I'm not sure that your response to the above has given me a direct answer to this. If you could give me a "yes" or a "no + explanation" answer, that would be good.
Thanks.
tel2
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for that, padas.
I'm not planning to have any payment stuff on my site, but I might use SSL.
But my question is simply:
> does setting "Options -Indexes" in public_html/.htaccess achieve the "directory browsing turned off" thing you mentioned?
I'm not sure that your response to the above has given me a direct answer to this. If you could give me a "yes" or a "no + explanation" answer, that would be good.
So, does it achieve that? If not, what does?
Thanks.
tel2
I'm not planning to have any payment stuff on my site, but I might use SSL.
But my question is simply:
> does setting "Options -Indexes" in public_html/.htaccess achieve the "directory browsing turned off" thing you mentioned?
I'm not sure that your response to the above has given me a direct answer to this. If you could give me a "yes" or a "no + explanation" answer, that would be good.
So, does it achieve that? If not, what does?
Thanks.
tel2
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks padas,
I'm familiar with the method of testing, but just wanted to make sure that kind of setting is what you were refering to. Thanks for all your helpful advice!
And thanks to you too, Dave.
Good to have you both on the EE team!
I'm familiar with the method of testing, but just wanted to make sure that kind of setting is what you were refering to. Thanks for all your helpful advice!
And thanks to you too, Dave.
Good to have you both on the EE team!
ASKER
Regarding certificates, did you see my item b)? What kind of lengths do hackers have to go to, to sniff the data being transferred by a regular http connection? What kind of access to components of the network do they need (e.g. to the servers or to your ISP)?
And does https slow things down much?
Do I need to change my code at all or much to accommodate SSL?
I've used plenty of https sites, but most of them tend to be for financial systems (banks, shopping, etc). Take EE for example - I don't see them using https.
The cheapest certificate I know of is Comodo, but I read they have been hacked.
Thanks.
tel2