Member Avatar for mrhankey

hi,

what is the best password encryption to use on a website with mysql backend?

i have used md5 and sha1 in the past however which is best? crypt? ◦RJINDAEL ?

what is best to use? they wont be recovering the password only sent a new password if forgotten.

so which is best? and also what is the best way to secure the apache server to prevent attacks? i am working on a high end site for a client and i need it to be secure. i knoe you should not add in any layers i.e. cpanel as this makes it more open however what is the best way with cpanel being on and what is best security methods to take for an apache setup?

thanks again

  • 5 Contributors
  • 8 Replies
  • 147 Views
  • 1 Day Discussion Span
  • Latest Post Latest Post by Stefano Mtangoo
Member Avatar for WaltP

Is there a best anything? Aren't there different bests based on use? And if you don't like my best, then what? You don't really want the best? Or is someone else's best better?

IOW, never ask for best. It depends on what you are doing and how.

Member Avatar for almostbob

any password sent to them is not really secure
one of many possible practices is for the lost password user to identify themselves using a pre-Arranged cipher, all the name DOb, mothers maiden name, challenge-response, set up when opening accounts
a one-shot link is sent to the registered email address
using that link the user logs in and changes their password
& its still not really secure

Member Avatar for mrhankey

thanks however can you or anyone be a bit more helpful as that is not really the answer i was looking for, just some advice that was all.

Member Avatar for mrhankey

any password sent to them is not really secure
one of many possible practices is for the lost password user to identify themselves using a pre-Arranged cipher, all the name DOb, mothers maiden name, challenge-response, set up when opening accounts
a one-shot link is sent to the registered email address
using that link the user logs in and changes their password
& its still not really secure

thanks for your response, what password encryption method do you recommend or is not really important?

thanks again

Member Avatar for mrhankey

does anyone have a guide on securing apache and your system? recommend a book on this or best practices?

thanks

Member Avatar for almostbob

thanks for your response, what password encryption method do you recommend or is not really important?

thanks again

passwords should be <--ideal world alert--< changed over https, via https traffic in both directions is entirely encrypted

via http there is not security
serverside encryption sends the password in clear to the server where it is encoded
clientside encryption sends the algorithm in clear to the client
either choice allows malicious intent

Edited by almostbob because: n/a
Member Avatar for Stefano Mtangoo

If you need to activate something, send them secret code and not any user information. If you want to be more secure, use double word activation in that two keywords are needed to activate and they are sent separately in different times. You can use tri-keyword...et al depending on sensitivity.

if they are things like credit card accounts, make usage of account possible some time after activation and send a warning to an email that somebody activated their account. if that somebody was not them they should send email to admin or whoever. That will help in case hacker did interfere communication!

Edited by Stefano Mtangoo because: n/a
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.