Security Questions - Need some advice

SilverBack · Post by **SilverBack** » 16 Oct 2007, 13:45

Hiya all,

I am creating an online application system. I didnt want to give users that apply the option for a username (whether it be defaulted to a email address or one they select) and password for their profiles as many of the potential users might not have an email address, or they might change their email address in the future. So sending password reminders etc would be a problem. Also, with usernames they might forget what email address they used for their username of if they selected a username, they might forget it.

So, to make things simple....I have made their ID Number field compulsory. This will be used to identify them and give them access to their profiles when they come back to the website. They will need to enter their ID Number and answer 2 security questions correctly to gain access to their profile.

Do you guys think this solution is ok? Have you got any other ideas on this? BTW - The security thing is not critical. If it were I would have done the user name and password option. This is merely to identify the person and make sure its the correct person.

Thanks.

GreyWolf · Post by **GreyWolf** » 16 Oct 2007, 13:50

Seems a bit risky asking people to send their ID number over the net. Why don't you concatenate their first and last names to form their user name and keep the questions thing?

edit:fixed grammar ...stupid keyboard

SilverBack · Post by **SilverBack** » 16 Oct 2007, 14:40

The problem comes in where people will come to this website like once or twice a year. There is no way they will remember their username. ID Numbers are unique, it never changes and its not something easily obtainable unless the person is socially hacked. Added to that, the info the website contains is not private / super confidential in the sense that people will try to hack someones account. So I dont see security as being critical...the only thing that go could go wrong is the persons info can be changed if they happen to get into someones profile...so its not a biggy as the info will get backed up...

rustypup · Post by **rustypup** » 16 Oct 2007, 15:36

i would consider performing a one-way hash on the submitted id numbers prior to shipping...

just an idea...

SBSP · Post by **SBSP** » 16 Oct 2007, 15:43

I would go with the e-mail thing, most online services works with that.

Even this forum,

If they forget their e-mail address, thats not your problem.

Gargmel · Post by **Gargmel** » 16 Oct 2007, 16:05

Personally I would never give my ID number to anyone, especially a website...

SilverBack · Post by **SilverBack** » 16 Oct 2007, 16:08

Hmm...thanks for the input everyone. Gonna have to give this one a ponder...

Hex_Rated · Post by **Hex_Rated** » 16 Oct 2007, 16:16

Gargmel wrote:Personally I would never give my ID number to anyone, especially a website...

Me neither.

SilverBack · Post by **SilverBack** » 16 Oct 2007, 16:37

Prob is they want the users ID Number...

Hex_Rated · Post by **Hex_Rated** » 16 Oct 2007, 16:46

Is the site encrypted?

SilverBack · Post by **SilverBack** » 17 Oct 2007, 08:11

Unfortunately not. Its basically the careers section for our company's website. So they need the applicants id number. I dunno....maybe I need to just bite the bullet and use the email address as a username (force people who dont ahve an email address to get one?).....no email address you say?? Trust me...some applicants dont have one. Need to think long and hard about a solution here...

Oh crumbs...

Frozenfireside · Post by **Frozenfireside** » 17 Oct 2007, 09:44

1) use HTTPS. It's the secure version of HTTP but,yes, it is more expencive

2) Send the ID and such through encrypted emails but your actual transaction of data still needs to be secure so you might still need HTTPS.

Use the email as a username and password-if the users dont have a password, time to get with the times. They can use webmail or something.

Atleast that way you dont run the risk of revealing highly sensitive info about your clients.

IF you got hacked and had ID numbers and such online, you might get sued by your clients.

I'm trying to find that video of that programmer who edits the raw code of a website and saves the website to his hard drive. he removes the if statements refusing access if the username and password are incorrect, redirects the codeing to the original website and got access to peoples records.

I think you should get in touch with a web design team (If anyone is part of such team, please help)

I just started Security and I know the basics (ports, protocals, implementation, viruses, OSi model, etc) but next year gets interesting as we delve into hacking and such.

SilverBack · Post by **SilverBack** » 17 Oct 2007, 14:53

Ok...so I have decided to go with the email address as the username and they must choose their password. If they dont have an email address....they just gonna have to register at ananzi or something. Thanks for the feedback guys