> -----Original Message----- > From: Ian Vaughan [mailto:[EMAIL PROTECTED] > Sent: Friday, October 14, 2005 4:23 AM > To: CF-Talk > Subject: RE: security suggestions? > > Hi > > Just to come back to a few of your security points for some more > information please. > > ---QUOTE--- > You might want to encrypt the information on the database... but this is > a little overkill-ish. However if you can't secure the database as much > as you'd like it can be a good measure. > ------ > Encrypt everything going into the database. > -------
If your database is securely managed then encryption of its contents isn't really needed in my opinion. If your database is not securely managed (it's shared for example) the encryption of its contents is a good idea. > Say for example you were going to encrypt the users password that is > stored in the database, what would you recommend to do this the Hash > function? If so how do you match up the password the user enters when > logging in to the encrypted version of the password stored in the > database? You don't - you match the hashed/encrypted version of the password the user enters to the database content. Hashes are one-way - you can't "decrypt" them (although with short strings you can pretty easily find something that matches). The primary purpose of hashes is to protect the actual text of the password since many people use the same text for their passwords. > ----QUOTE--- > Use strong passwords for all users on both systems and any applications, > such as CF Admin. Use a strong password generator for this. > ---- > Do you know for any good examples of a strong password generator ? > > > ---QUOTE--- > convert it to a secure (encrypted) email and send it directly the loan > officer? > -------------------- > > What would you use to secure the encrypted e-mail PGP or certain code in > Coldfusion? If it is PGP are any alterations needed on the Coldfusion > site to convert it into encrypted format? PGP is just a technology - you can use PGP in CF without too much hassle (there are extensions out there). You can also just plain encrypt the mail content using a public-private key and give the loan-officer a decryption application. > Finally is there a script that stops the user clicking on the back > button in their browser window which would stop them viewing any > sensitive data, or would you recommend just turning off the browsers > standard buttons i.e. back, next, refresh etc and/or a script that stops > users bookmarking certain pages in their browsers ? You can't really do this easily so I wouldn't bother. Off the top of my head you can use the "back" button, you can right click and select "back" and you hit the backspace key to go "back". There are many ways to get anything done - trying to trap/prevent them all is pretty futile. And even if you could the information would still be cached. Jim Davis ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:221019 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
