On Tue, April 12, 2005 4:40 am, trlists@xxxxxxxxxx said: [lots and lots of stuff, mostly valid, about Security being applied in ratio with the data being protected] I don't have the time to answer this point by point. So I'll stick with some generalizations. I have what I consider a MINIMUM standard level of security for any site that asks for a password. That would include: Not storing the password *ANYWHERE* in clear-text. Not in database. Not in $_SESSION Not in COOKIES Not storing an encrypted username/password in $_SESSION/COOKIE if having those values provides access. Because at that point, the encryption is rather meaningless, as it's really a clear-text 32-character code that happens to be the encrypted value of something secret, but the clear-text 32-character code gives the Bad Guy access, whether they know the secret or not. If your content/application/data is important enough to warrant a username/password, then it should be important enough to secure with this minimal level of security, IN MY OPINION. The "tie-in" from a given user's session data should be ephemeral -- it should expire within a short time frame. It should also be un-guessable, like PHP's session IDs. It should not, in and of itself, provide enough data for a Bad Guy with the means to readily compromise an account on a long-term basis. If users forget passwords, they should get new random passwords, with the application/email directing them to change those passwords to memorable (to them) but hopefully un-guessable (to Bad Guys) values. Nothing I am recommending is significantly more difficult, nor complex, then the alternatives you are presenting. I would contend that anything less is simply a false sense of security, provided to the un-informed, by using inherently insecure username/password methodolgy. The fact that 10 zillion sites are currently doing exactly that does not make it "right". You obviously disagree, and think everything is just hunky-dory in the 10 zillion sites that are leaking passwords to any Bad Guy with half a clue. We'll simply have to agree to disagree on what is a minimal standard level of security, and move forward. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
