Wednesday, June 07, 2006

Website Security Considerations

It is not always easy to determine what type of a security system should be put into place when building a website. Here I outline some of the basic security principles, as well as some decision points that need to be considered. I consider software-based systems (challenge-response with user name and password) rather than hardware implementations like biometrics or dongles, since these are rarely used on websites and certainly not for those I build!


Here are some basic security principles which nonetheless appear to be non-obvious at times.

1. Security is never absolute. There is no such thing as a secure system.

2. The more secure a system, the more trouble it is to use it. Every security system is a balancing act between security and convenience.

3. A security system that is implemented poorly is worse than none at all. This is because hidden flaws are harder to diagnose and fix that weaknesses which are known and planned for.

4. The more complex a security system, the more expensive it is to implement, and the more likely it is to be implemented poorly.

5. Every security system has its weakest link. There is no point addressing other aspects of the system until the weakest link is hardened.

Therefore, one should pick a level of security which balances the expectations of all parties (client, customers, technicians), is reasonably easy to implement, and finds a comfortable point on the secure/convenient scale.


For a website there are several modalities of a security systems to consider. The first is scope. Here are some possibilities:

1. None: All access is open.

2. Partial: A login system is in use for certain pages only.

3. Full: A login system is in use for all pages.

4. Variant: One might have two levels of password protection, or simply challenge the user with the same password requirement for access to areas considered especially sensitive (for example, eBay does this).

No public website has a completely full security scope, since this means that even the home page would not be accessible to search engine robots and the like.


The second major dimension is that of time. How long will the secure login be active? More than one of the following options may be in place at once.

1. For a single transaction.

2. For a fixed time period.

3. Until a fixed period of inactivity has occurred (eg: a time-out).

4. Until the user explicitly logs out.

5. Until the user navigates away from the site.


Here are some common problems of website password systems.

1. They email you the password. Email channels are not secure. Furthermore, if someone compromises your email account they can look for all your passwords in one fell swoop.

2. They store the email in unencrypted form, for example in a database.

3. They allow you to work around the password with a question like "What is your pet's name?" or something similar. This is much easier to guess or socially engineer than the password itself.

4. The password handling is done on the client side (in JavaScript) rather than on the server side.


The article Password Management Best Practices is a worthwhile read.


No comments:

Post a Comment