Tips on creating a Good website

Replies

• 

  slashfear

  Hi Guys,
  
  This time its about passwords, we will have a peak into what are the problems in passwords and how to use password securely......;-)
  
  Passwords:
  
  There are two important issues in system security. One is in the use of passwords, which should be chosen and used securely. However secure a system might be, it is normally left wide open if the password used to access it is compromised.
  
  Problems with passwords
  
  Most systems use passwords to restrict access. It is possible to obtain a password in several ways:
  
  -> guessing
  If you choose a particularly simple password (your mother's maiden name, your pet's name, your favourite sports team) then people may be able to guess the password
  
  -> brute-force search
  There are programs which can try many passwords, for example by going through every word in a dictionary
  
  -> social engineering
  It is often possible to trick people into revealing passwords, for example by phoning up and pretending to be the Internet service provider or a member of the company
  
  -> obtaining stored passwords
  Sometimes people store passwords on their computer, on post-it notes, in their diary, etc. In this case, the password can easily be obtained by somebody with physical access
  
  -> obtaining shared passwords
  When the same password is used for several systems, anybody who obtains the password for one system already has it for all others
  
  -> installing trojans
  There are 'trojan horse' software programs which install invisibly on your computer, monitoring keystrokes. These are often associated with computer viruses
  
  -> interception
  If passwords are sent across an unencrypted connection, it may be possible to intercept the password as it is transmitted (this is usually a relatively low risk)
  
  Using passwords securely
  
  You can avoid these problems by:
  
  -> using a good password
  Choose a password that is reasonably long (at least 8 characters) and is not made up of simple words. Use punctuation and numbers if possible
  
  -> ensure systems limit password attempts
  If possible, make sure that the system allows only a certain number of password attempts before locking out the account
  
  -> not storing passwords
  Do not store important passwords on your computer, or write them down
  
  -> not sharing passwords
  Use different passwords for all important systems
  
  -> never giving out passwords
  Do not give out your password to anybody
  
  -> maintaining general levels of computer security
  Use a virus checker and ensure that your email program is configured securely and kept up to date
  
  -> using secure connections for passwords
  Make sure that passwords are sent across secure connections so that they cannot be intercepted in transit
  
  
  stay tunned guys.....!! more to come..........;-)
• 

  Kaustubh Katdare

  @ Slashfear: Most of the systems use MD5 encryption for storing passwords into Database. It makes impossible for the system/database administrators to know the user passwords.
  
  Good thread, waiting for more 😀
• 

  shalini_goel14

  Thanks a lot slashfear for atleast listening to me. 😀
  
  Hey slashfear if possible try to avoid this theoretical things and elaborate more about each. Take your time.
  
  I am waiting for extracting more and more information from you. 😉
• 

  Prasad Ajinkya

  More on making your website secure - well, atleast the password front.
  
  Always, always and I mean always store them in MD5 format. That way, even you do not know what are the passwords of the users (until and unless you have the patience to run them through a rainbow table!)
  
  Second thing you can do is provide TLS support. Thats Transport Layer Security (the padlock). Its basically a security certificate for your server and its subsequent transactions.
• 

  shalini_goel14

  kidakaka

  Second thing you can do is provide TLS support. Thats Transport Layer Security (the padlock). Its basically a security certificate for your server and its subsequent transactions.

  Hello Sir,
  
  How can we provide TLS support?
• 

  slashfear

  Hey guys,
  
  MD5 encryption.....!!! ;-) ok here is how you do it......
  
  If you are developing a password-protected web site, you have to make a decision about how to store user password information securely.
  
  What is "secure," anyway? 😕 Realize that the data in your database is not safe. What if the password to the database is compromised? Then your entire user password database will be compromised as well. Even if you are quite certain of the security of your database, your users' passwords are still accessible to all administrators who work at the Web hosting company where your database is hosted. Scrambling the passwords using some home-brewed algorithm may add some obscurity but not true "security." Another approach would be to encrypt all passwords in your database using some industry-standard cipher, such as the Message-Digest Algorithm 5 (MD5).
  
  MD5 encryption is a one-way hashing algorithm. Two important properties of the MD5 algorithm are that it is impossible to revert back an encrypted output to the initial, plain-text input, and that any given input always maps to the same encrypted value. This ensures that the passwords stored on the server cannot be deciphered by anyone. This way, even if an attacker gains reading permission to the user table, it will do him no good.
  
  MD5 does have its weaknesses. MD5 encryption is not infallible: if the password is not strong enough, a brute force attack can still reveal it. So, you can ask: "Why should I use MD5 if I know it is not the most secure?" The answer is fairly straightforward: it's fast, it's easy, and it can be powerful if salted. The greatest advantage of MD5 is its speed and ease of use.
  
  It is vitally important to understand that password encryption will not protect your website, it can protect your passwords only. If your website does not have sufficient protection, password encryption will not make it safe from cracking. If your system has been cracked, a hacker can inflict a irreparable damage to it and also gain an access to confidential information, including passwords database. But if you store this information encrypted, hackers practically cannot make use of it. Cracking an encrypted password takes a large amount of time and processing power, even on today's computers.
  
  So, let's start. First of all, you need to add a new account to your database. The following code allows to do it.
  
  

  
  [B]
  [/B]
  

  Now, when a new user completes the registration form, his password will be encrypted automatically.
  
  After that we should write code that validates a given username/password pair.
  
  

  [B]
  
  [/B]

  And what if you already have users' database ready and want to start using encrypted passwords? To do it, you need to write encypt.php script as shown below code and run it in your browser.
  
  

  [B]ord('9')) && (ord($str[$i])ord('f'))) 
     return false; 
   return true; 
  } 
  ?> 
   
   
   
  Total passwords in the table - 
   
  0) { ?> 
  All passwords are encrypted. 
  0) { ?> 
  Unencrypted - 
  
   
  Click "GO" to encrypt  passwords.
   
  WARNING! There will be no way to decipher the passwords.
   
   
   
   
  
  [/B]

  Hope I made it right......!!! If I am wrong correct me bigie........😒
  
  
  -Arvind(slashfear)😉
• 

  slashfear

  Hey shalini,
  
  I am sorry with out the explanation, people cant understand whats going on......
  
  So Forgive me for the explanations 😒 and you will surely have samples for everything....
  
  And do you know you can use MD5 algorithm in JAVA to.....
  
  
  -Arvind(slashfear)
• 

  shalini_goel14

  slashfear

  Hey shalini,
  And do you know you can use MD5 algorithm in JAVA to.....
  
  -Arvind(slashfear)

  Ya I guess, I know its algorithm and I can program it in Java. Never tried but would like to try once and will let you know if got it done.
• 

  sarveshgupta

  Good thread Slashfear! Currently going through exams. I will surely try to follow it. Although I need to learn php first. The theory part is great but the code sample is going above my head.
  
  Waiting to fininsh exams and learn php. Then i will surely be able to undrstand and post questions. Still trying to understand the concept.
• 

  sarveshgupta

  Can you tell me is this MD5 algorithm available in .net also?
• 

  slashfear

  Hi Sarvesh,
  
  Thanks dude!!!😁
  
  Yes it is avialble in .Net too ;-), to use MD5 in .Net too, for that you have to import the following:
  
  Imports System.Security.Cryptography
  
  And I am not that good in .Net 😔, so I thought of posting you this link which would be helpful to you and will help you get a clear picture of how to do it in .Net along with Example. Here is the Link:
  
  #-Link-Snipped-#
  
  #-Link-Snipped-#
  
  
  Hope this was useful to you.......!!!!;-)
  
  
  -Arvind(slashfear)
• 

  sarveshgupta

  Thank you Slashfear..
• 

  sarveshgupta

  Hope to learn and see more from you..
• 

  Ramseem

  😡How to create a site including php or .net😔
• 

  Kaustubh Katdare

  Ramseen - if you know PHP - you'll know how to setup a website. If you need basics on setting up website , look at the following -
  
  #-Link-Snipped-#
  
  #-Link-Snipped-#
  
  #-Link-Snipped-#
• 

  slashfear

  Thanks Bigie for solving the previous query .............😁
• 

  slashfear

  Hey guys,
  
  I think it is important and useful for you guys to go through and know what "Distributed Denial of Service" (DDoS Attack) is,
  
  I have already discussed about this attack and prevention methods in this forum, So for the guys, who missed to read it... Here is the link:
  
  #-Link-Snipped-#
  
  
  Any doubts and if you want any detailed description please feel free to ask guys!!!!;-)
  
  
  -Arvind(slashfear)
• 

  Ashraf HZ

  Slashfear, I enjoy reading your threads! Cryptology is one of my recent interests 😀
• 

  slashfear

  Thanks ash......:smile:
• 

  slashfear

  Hi Guys,
  
  This time we go with the need for SSL certificates for websites..... 😉
  
  SSL Certificates:
  
  The most basic component of website security is SSL, Secure Sockets Layer technology. All web pages that transmit and receive credit card and other sensitive information should use SSL for website security.
  
  This form of website security utilizes a system of invisible “encryption” that guarantees website security without any inconvenience to the communicating parties. SSL is an industry standard that provides website security to millions of websites.
  
  Commonly, information is sent across the internet by passing it from one computer (also called “servers”) to another and website security is not a serious issue. However, because every bit of information on the internet travels through so many computers (servers) to reach its destination, website security IS an issue when sensitive information is passed.
  
  
  “encryption” is the process of converting sensitive information, referred to as “plaintext” which anyone can read, into coded or “ciphertext” which requires a “key” for deciphering. SSL ensures that data passed between web servers and browsers (personal computers) have proper website security so that what are called secure “sessions” can transpire between two parties.
  
  To implement SSL website security protocol, an SSL Certificate is required. These can be obtained through various website security vendors and through website hosts and web page vendors that are Certification Authorities (CA’s). These should be a trusted CA source to additionally assure your website security.
  
  An SSL Certificate for website security requires a domain name, company name, address, city, state and country. When issued it will contain the expiration date and information about the Certification Authority that issued this website security instrument.
  
  This Certificate is checked by any computer browser that begins a secure session on a website. SSL website security protocol, when checking an SSL Certificate, will note the expiration date, whether the CA is one that is trusted by the browser, and that the Certificate is in use by the correct website for which it was issued. Failing any of these checks will prompt a warning to the end user, indicating that website security is in doubt.
  
  You can get SSL certificates from Buy SSL from a Leading Certificate Authority | Thawte® or from #-Link-Snipped-# or Google it out!!!😉
  
  
  PS: Mods please check the above links :smile:
  
  
  -Arvind(slashfear)
• 

  Saandeep Sreerambatla

  ash

  Slashfear, I enjoy reading your threads! Cryptology is one of my recent interests 😀

  Yes its one of my interest too..
  Slashfear you are great, am not following this thread but will follow soon.
  Can you tell me what are the pre-requisites i need to learn before reading this such that i will be clear ?
• 

  Kaustubh Katdare

  Nothing's wrong with the links. We only remove advertisement links from the posts.
• 

  slashfear

  Thanks for checking Bigie....
• 

  slashfear

  Hey ES,
  
  These are general Tips on security buddy, so Just go through the articles and you will get knowledge about security issues and will know what you have to learn automatically......;-)
  
  
  
  
  -Arvind(slashfear)
• 

  Saandeep Sreerambatla

  Ok i will start some day and will post my issues here , thanks Slashfear 😀
• 

  slashfear

  Your always welcome dude!!! looking forward for your querys😁
• 

  Saandeep Sreerambatla

  Will post for sure , just recommend me any books on these topics i read a lot so it will be useful for me in 2 to 3 weeks your mail box /the thread will be flooded with my questions, i want you to recommend me some books on it if you have any links send it my mail id available in the signature .
  
  thanks
• 

  slashfear

  Yes sure I will do that dude, just give me two day's 😒
• 

  silverscorpion

  Hi SLashFear,
  Once again, nicely written Thanks for that!!.
  Some doubts about this..
  
  When you say we can get SSL certificates from the above links, what do you mean?? Should we submit our site to them? Will they examine it and then issue a certificate that it's safe?
  
  How much does it cost to obtain such a certificate??
  
  I often hear about another security concept, the TLS (Transport Layer Security). What's the difference between SSL and TLS?
• 

  Harshad Italiya

  Superb thread man
• 

  slashfear

  Thanks Godfather!!!!😁
• 

  slashfear

  Hi Scorpion,
  
  hey buddy, I think you will get the answers from the below link.......
  #-Link-Snipped-#
  
  And regarding the cost also you can find in that website it self buddy!!
  
  and the difference between SSL and TLS is as follows:
  
  SSL stands for Secure Sockets Layer (AS we have discussed above). Netscape originally developed this protocol to transmit information privately, ensure message integrity, and guarantee the server identity. SSL works mainly through using public/private key encryption on data. It is commonly used on web browsers, but SSL may also be used with email servers or any kind of client-server transaction. For example, some instant messaging servers use SSL to protect conversations.
  
  TLS stands for Transport Layer Security. The Internet Engineering Task Force (IETF) created TLS as the successor to SSL. It is most often used as a setting in email programs, but, like SSL, TLS can have a role in any client-server transaction.
  
  The differences between the two protocols are very minor and very technical, but they are different standards. TLS uses stronger encryption algorithms and has the ability to work on different ports. Additionally, TLS version 1.0 does not interoperate with SSL version 3.0.
  
  
  In the Next post I will tell you guys about the TLS......;-)
  
  
  -Arvind(slashfear)
• 

  slashfear

  Hi Guys,
  
  All the websites will surely have a Database as a back end (most websites!!!:smile😀, no matter what database your using, certain query's can change the entire situation of your website, yes I am talking about SQL injection.
  
  So It's better to know how the Attack works and how to prevent yourself, I have dedicated a separate thread for SQL injections you can have a look on that by clicking the below link (For those who are not following that thread 😁):
  
  #-Link-Snipped-#
  
  
  And get some knowledge on the Worlds Best Hackers, Crackers, intruders and virus creators to make it simple MASTER MINDS , from the following thread:
  
  #-Link-Snipped-#
  
  
  Hope you guys enjoy this...........😉
  
  
  
  -Arvind(slashfear)
• 

  Saandeep Sreerambatla

  slashfear

  Yes sure I will do that dude, just give me two day's 😒

  
  Aravind i am waiting for your answer 😀