Is it possible to secure an application if it is unlikely that the website will have an SSL certificate? [closed]

  1. I ALWAYS use a hashed password with a salt. It is also good to implement some sort of brute force checking to block IPs that attempt more than X failed logins, etc.

  2. It’s a system people know. Giving someone a 32 character guid might work better if they could remember it. The problem is people not using good passwords and using the same passwords for banking as they do for e-mail as they do for facebook. A possible scenario: you go to joe blow’s site because he’s offering a free ringtone, and you create an account using the same user/pass you use everywhere. Joe Blow doesn’t encrypt your password, instead he uses it to try to access various banking websites using the same username/password combo. If you entered your e-mail on the site and used the same password as your e-mail, then he can access that and find out what bank you use when you get an e-mail from them letting you know your statement is available. The weakest link is almost always the user not being careful enough.

  3. Some of the extra precautions I take beyond IP checking, brute force protection, etc., is to make sure the user-agent stays the same for the life of the session. It’s just one extra check that helps protect against someone brute-forcing session IDs…they’d have to also spoof the user agent perfectly, which would require a man in the middle or someone with a live view of the DB…which isn’t usually worth worrying about.

  4. I have yet to have an admin area hacked, but I have seen attempts. Everyone knows that they can go to wp-admin/ inside a wordpress website. If there were no authentication, there wouldn’t be a blog in the world that didn’t have 1000 blogs by a spammer overnight. It may not keep out the hacker-elites and middle-men…but most blogs aren’t worth the efforts for those guys. But not having any credentials would let any guy who can write a bot access everyone’s blogs.

Leave a Comment