Security to the Max!

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

Post Reply
User avatar
shiznatix
DevNet Master
Posts: 2745
Joined: Tue Dec 28, 2004 5:57 pm
Location: Tallinn, Estonia
Contact:

Security to the Max!

Post by shiznatix »

Hi everyone,

Where I am working we have a bunch accounts with different companies/websites/everything. I advocate advanced security on even the most basic of things so you can imagine how appalled I was when I discovered a bunch of passwords and usernames were being stored in a word document that was routinely being shared among the staff and even put on private laptops and taken home. I have since started my crusade to fix this problem.

I have decided to make a website that will store all the usernames / passwords. I would like some input as to what you guys think should be done to make the encryption and security as air-tight as possible. My ideas so far:

1) SSL obviously
2) Encrypt all usernames/passwords with a manually entered master password and store those encrypted strings in the DB
3) User will enter the master password and that will be used to decrypt the passwords in the DB then displayed to the user

Easy breezy. The questions still remain though, what is the best way to carry the session in a very secure way? What is the best reversible encryption method? How much extra security is added if I require a login instead of just the master password? How would you solve this problem yourself?
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Security to the Max!

Post by Apollo »

It's good that you take things seriously, but first consider: do you REALLY need to store the actual passwords? (in violation of rule nr.1 in these security measurements)

Having said that, TrueCrypt offers excellent, easy to use yet extremely strong encryption for any data. Would that fit in your situation?
User avatar
shiznatix
DevNet Master
Posts: 2745
Joined: Tue Dec 28, 2004 5:57 pm
Location: Tallinn, Estonia
Contact:

Re: Security to the Max!

Post by shiznatix »

Apollo wrote:It's good that you take things seriously, but first consider: do you REALLY need to store the actual passwords? (in violation of rule nr.1 in these security measurements)

Having said that, TrueCrypt offers excellent, easy to use yet extremely strong encryption for any data. Would that fit in your situation?
The first consideration, we do really need to store the passwords. Just, no other way sadly.

TrueCrypt: This is a good idea but we need something that would be accessible around the office and even in different countries so something web based seams to be the best fit.
Post Reply