Security Questions - Need some advice
-
- Registered User
- Posts: 1387
- Joined: 26 Jan 2006, 02:00
- Location: JHB
- Contact:
Security Questions - Need some advice
Hiya all,
I am creating an online application system. I didnt want to give users that apply the option for a username (whether it be defaulted to a email address or one they select) and password for their profiles as many of the potential users might not have an email address, or they might change their email address in the future. So sending password reminders etc would be a problem. Also, with usernames they might forget what email address they used for their username of if they selected a username, they might forget it.
So, to make things simple....I have made their ID Number field compulsory. This will be used to identify them and give them access to their profiles when they come back to the website. They will need to enter their ID Number and answer 2 security questions correctly to gain access to their profile.
Do you guys think this solution is ok? Have you got any other ideas on this? BTW - The security thing is not critical. If it were I would have done the user name and password option. This is merely to identify the person and make sure its the correct person.
Thanks.
I am creating an online application system. I didnt want to give users that apply the option for a username (whether it be defaulted to a email address or one they select) and password for their profiles as many of the potential users might not have an email address, or they might change their email address in the future. So sending password reminders etc would be a problem. Also, with usernames they might forget what email address they used for their username of if they selected a username, they might forget it.
So, to make things simple....I have made their ID Number field compulsory. This will be used to identify them and give them access to their profiles when they come back to the website. They will need to enter their ID Number and answer 2 security questions correctly to gain access to their profile.
Do you guys think this solution is ok? Have you got any other ideas on this? BTW - The security thing is not critical. If it were I would have done the user name and password option. This is merely to identify the person and make sure its the correct person.
Thanks.
Hire A Programmer -|- Just Source Code BlogDeja Moo: The feeling that you've heard this bull before.
-
- Registered User
- Posts: 4754
- Joined: 06 Aug 2003, 02:00
- Processor: PHENOM II 945
- Motherboard: Asus M4A78
- Graphics card: HIS ICEQ 4850 1GB
- Memory: 4GB CORSAIR XMS II 1066
- Location: , location, location!
Seems a bit risky asking people to send their ID number over the net. Why don't you concatenate their first and last names to form their user name and keep the questions thing?
edit:fixed grammar ...stupid keyboard
edit:fixed grammar ...stupid keyboard
"Every normal man must be tempted at times to spit on his hands, hoist that black flag, and begin slitting throats."
- H. L. Mancken
- H. L. Mancken
-
- Registered User
- Posts: 1387
- Joined: 26 Jan 2006, 02:00
- Location: JHB
- Contact:
The problem comes in where people will come to this website like once or twice a year. There is no way they will remember their username. ID Numbers are unique, it never changes and its not something easily obtainable unless the person is socially hacked. Added to that, the info the website contains is not private / super confidential in the sense that people will try to hack someones account. So I dont see security as being critical...the only thing that go could go wrong is the persons info can be changed if they happen to get into someones profile...so its not a biggy as the info will get backed up...
Hire A Programmer -|- Just Source Code BlogDeja Moo: The feeling that you've heard this bull before.
-
- Registered User
- Posts: 1387
- Joined: 26 Jan 2006, 02:00
- Location: JHB
- Contact:
Hmm...thanks for the input everyone. Gonna have to give this one a ponder...
Hire A Programmer -|- Just Source Code BlogDeja Moo: The feeling that you've heard this bull before.
Me neither.Gargmel wrote:Personally I would never give my ID number to anyone, especially a website...
DFI LanParty X48 LT-2TR
Intel Q9450 @ 3.2Ghz
Dell 24" 2408WFP | Phillips 37" 1080p
Sapphire HD4870 X2 2GB
4GB Corsair DDR-2 1066 | Thermalrite 120 Ultra Extreme | G9 Mouse | G15 Keyboard
Vista Ultimate x64
Intel Q9450 @ 3.2Ghz
Dell 24" 2408WFP | Phillips 37" 1080p
Sapphire HD4870 X2 2GB
4GB Corsair DDR-2 1066 | Thermalrite 120 Ultra Extreme | G9 Mouse | G15 Keyboard
Vista Ultimate x64
-
- Registered User
- Posts: 1387
- Joined: 26 Jan 2006, 02:00
- Location: JHB
- Contact:
Prob is they want the users ID Number...
Hire A Programmer -|- Just Source Code BlogDeja Moo: The feeling that you've heard this bull before.
-
- Registered User
- Posts: 1387
- Joined: 26 Jan 2006, 02:00
- Location: JHB
- Contact:
Unfortunately not. Its basically the careers section for our company's website. So they need the applicants id number. I dunno....maybe I need to just bite the bullet and use the email address as a username (force people who dont ahve an email address to get one?).....no email address you say?? Trust me...some applicants dont have one. Need to think long and hard about a solution here... Oh crumbs...
Hire A Programmer -|- Just Source Code BlogDeja Moo: The feeling that you've heard this bull before.
-
- Registered User
- Posts: 2618
- Joined: 26 Apr 2007, 02:00
- Location: Westcliff, Johannesburg
- Contact:
1) use HTTPS. It's the secure version of HTTP but,yes, it is more expencive
2) Send the ID and such through encrypted emails but your actual transaction of data still needs to be secure so you might still need HTTPS.
Use the email as a username and password-if the users dont have a password, time to get with the times. They can use webmail or something.
Atleast that way you dont run the risk of revealing highly sensitive info about your clients.
IF you got hacked and had ID numbers and such online, you might get sued by your clients.
I'm trying to find that video of that programmer who edits the raw code of a website and saves the website to his hard drive. he removes the if statements refusing access if the username and password are incorrect, redirects the codeing to the original website and got access to peoples records.
I think you should get in touch with a web design team (If anyone is part of such team, please help)
I just started Security and I know the basics (ports, protocals, implementation, viruses, OSi model, etc) but next year gets interesting as we delve into hacking and such.
2) Send the ID and such through encrypted emails but your actual transaction of data still needs to be secure so you might still need HTTPS.
Use the email as a username and password-if the users dont have a password, time to get with the times. They can use webmail or something.
Atleast that way you dont run the risk of revealing highly sensitive info about your clients.
IF you got hacked and had ID numbers and such online, you might get sued by your clients.
I'm trying to find that video of that programmer who edits the raw code of a website and saves the website to his hard drive. he removes the if statements refusing access if the username and password are incorrect, redirects the codeing to the original website and got access to peoples records.
I think you should get in touch with a web design team (If anyone is part of such team, please help)
I just started Security and I know the basics (ports, protocals, implementation, viruses, OSi model, etc) but next year gets interesting as we delve into hacking and such.
Soon Google will know everything...including how to divide by zero
-
- Registered User
- Posts: 1387
- Joined: 26 Jan 2006, 02:00
- Location: JHB
- Contact:
Ok...so I have decided to go with the email address as the username and they must choose their password. If they dont have an email address....they just gonna have to register at ananzi or something. Thanks for the feedback guys
Hire A Programmer -|- Just Source Code BlogDeja Moo: The feeling that you've heard this bull before.