|
Protecting against improper access controls
Proper storage of passwords
.
- DO NOT store as plain text!
- Hashing vs. encryption.
- Database user passwords need to be retrieved
- No need to know website user passwords
Password controls
.
- Password "aging"
- Length and mixture of characters
- Do not annoy your website users!
Creating new and resetting old passwords
.
- Have some sort of "offline" confirmation
- "Security" questions
- Add extra confirmation when resetting passwords
PHP hashing and encryption extensions
.
- Password Hashing: new wrapper for crypt()
- Hash: enabled by default; no ext libraries; replaces Mhash
- Mcrypt: requires libmcrypt; wide variety of algorithms
- Crack: moved to PECL; used to test password strength
- OpenSSL: used for managing an SSL connection
|
|