Security is necessary whenever sensitive information is transmitted or stored. Sensitive information may include credit card numbers, bank statements, business proposals, and, in general, any information you would not like to make available to the general public.
Passwords in particular must be carefully protected. Many people use a single password (or very few passwords) for all of their online activities. This means that a carelessly guarded password might be used to access an online bank account, or worse, to perpetrate identity theft. It is important to keep your site, and your users, secure.
We implement security based on your requirements.
During the logon sequence, we use the Secure Hash Algorithm, together with a psuedo-random value, to securely encrypt the password. This encrypted password can only be used to logon one time. This protects against interception and reuse of the password.
After a successful logon, a secure session is created. This session can be used to track who is using the website, to allow a customized experience for each user, and to allow selected users (such as administrators) access to sensitive information.
Sessions can be made to expire after a set length of time. This helps to maintain security when access is from a public computer, and the user forgets to end the session when leaving the computer.
Secure logon and secure session tracking procedures are designed to protect passwords against recovery, and to protect the site from third-parties. However, when page content includes sensitive information such as credit card numbers, additional security is required.
Secure Sockets Layer (SSL) is the industry standard used to encrypt sensitive information being sent over the internet. This process is transparent to the user, and is highly recommended, whenever sensitive information is being transmitted.
As an added benefit of using SSL, POST requests can also be encrypted. By optionally navigating the secure portions of the site via POST requests, very little information is exposed to the outside world.
HTTP Authentication is a legacy protocol for user authentication. Unfortunately, passwords are either transmitted as plain text, or are insecurely encrypted. This can not be changed when using HTTP Authentication. If even a single transmission is intercepted, security is breached. As such, we generally do not recommend HTTP Authentication.
HTTP Authentication might be appropriate for a site which does not require user accounts, and yet does not wish to be accessible to the general public. Under such a scenario, a generic logon id and password would be set up, and anyone with that logon id and password could access the site. If appropriate for your site, we can provide HTTP Authentication on request.
If you have any questions about security, please contact us!