All of us are aware that a website needs to be as secure as possible to prevent hackers from being able to access it. Hence it makes to leave no back doors in our programming code while developing the website. The user authentication is the big front that we expect will hold and prevent unauthorized access. However it often happens that a developer does not take this seriously or is pressured by the client and makes a bad decision regarding the storage of passwords thus making the entire website vulnerable.
Thus this article goes on to educate you regarding security with a few tips on to stay safe.
Brief introduction to Security:
To start with it is necessary you are able get the clear perspective of what being secure really means. When it comes making you website secure, it is never going to be a 100% secure. However the choices you make can make your website either more secure or less secure. To think that you website is a 100% secure once you take all the right decisions is a huge misconception and is what gets most website into trouble.
I will explain this with an example to make it a bit of easy for you to understand. For example when you lock you bike after parking it in the allotted parking area, you do that to make it secure. This doesn’t mean it is a 100% secure, since a Bike lock can be picked or the thieves can find other innovative methods to steal the bike. However installing a touch sensor on your bike that sets off a very load alarm is making the bike more secure.
Thus the level of security of your website is something that depends on the choices you make. These decision may be made on the basis of budget, website features or convenience. However, considering the fact that low security is putting your website at risk which could mean loss of data or stoppage of your website why wouldn’t make your website as secure as possible?
The Hashing Algorithm:
It is a good idea to store the password in a secure manner in the database. This means encrypting or converting it using some pre-defined functions. It often happens that a business owner will specially request that the passwords should be stored in their original readable form so that it becomes easier for the administrator to modify the user account. This is very big security issue that can get bigger if not corrected. The fact is that a password should never be stored in the database with our first encrypting in some for or way. This is where hashing comes in.
‘Hash’ is a mathematically computed value of the password which converts the password into set of letters and numbers and stores it into the database. Doing so makes it impossible for anyone to decode the password in order to enter the website. A very popular hashing technique is using the MD5 or SHA1 functions that are available with MySQL and several programming languages. In the recent update to MySQL with MySQL 5.5.5, support for SHA2 was also added.
This can be implemented in the following manner:
INSERT INTO ‘yourtable’ (password) VALUES (SHA2(‘secret password’))
In the same when authenticating the data SHA2 function can be used with the password that has been entered on the login form.
The password is secure to some extent once you hash it prior to storing in a database. However it is possible to make the password even more secure by using a ‘salt’ with the password. This is essentially a set random set of characters that is added to each password prior to storing it in the database.
The main advantages of using a password salt are:
It makes the password longer and hence it is harder to crack a longer password.
In the case where several users have the same password, the hash version of the password will also be the same. However if the website is using a randomly generated salt then this solves the issue of similar passwords.
The ‘salt’ isn’t something that has to be kept a secret or hidden. However providing a salt value can make the passwords much more secure, even if the salt is of only one character. Ideally the ‘salt’ should be as long as possible but not longer than 40 characters since if using SHA1, since SHA1 converts a password into a 40 character long string.
This can be implemented in the following manner using a PHP function present in version 5.3
$salt = bin2hex(opens1_random_pseudo_bytes(20));
This HEX value can be used as the salt with the password.
$pass = hash_hmac(‘sha512’, ‘the secret password’, $salt, ‘secret key’);
Thus that password obtained in this manner is more secure. Although make sure you also record the salt value in the database since it will be required to authenticate the user.
Securing the forgotten password process:
If your website has a login feature then you will need a ‘forgotten password’ option a well to help the users reset their passwords if and when they lose it. This process also needs to be made as secure as possible since it is possible for hackers to take advantage of this feature.
The forgotten password task can be handled in several ways, however not of them are very secure:
Asking user to enter secret key or email prior to sending the reset password:
Many websites implement this style. Once you click on the ‘forgot password’ link, they request your password or secret key and then send the password to your email address. The fact of the matter is that email is not a very secure medium and hence sensitive data should ideally not be sent via email. Thus a password should ideally not be sent via email.
Sending a link to a page to create a new password: An alternative to doing sending the password via the email is to send a link with a token to the registered email address. This token should be valid for a specific amount of time like 2 hours of 5 hours. Once the user clicks the link in their email it takes them to a page where they can enter the new password themselves.
Thus implementing subtle features and taking a little more care of how the password section is handled can go a long way in making the website more secure. As a developer you also should be aware of the fact that not every client is IT savvy and may not be aware of the consequence of keeping password unsecured. Thus it is necessary to educate them and advise them against requesting so.
Alakmalak is web development company and has developed over 2000 websites over the years. Besides which those clients which happen to be from all across the globe really appreciate the design and development work and continue to remain our clients. Hence it is goes without saying that they always implement good and secure practices to keep the websites out of harm’s way.