Re: [KCFusion] security

[Adaryl Wakefield]

The site is already built. It has several applications built for it over the years and each app has its own username and password pair. I finally said forget this and Im intergrating all the apps so they operate with one username password pair. Some of the apps store info that is subject to HIPPA and that is why im biting my nails about security. There is also a bulletin board that has not exactly what I call top secret info in it but pretty high level stuff we don't want getting out. Imagine like the CEO of Accenture comunicating with the VPs all over the globe. Its stuff like that.   Adaryl Wakefield Aviator by passion Programmer by sheer force of will ----- Original Message ----- From: Glenn Crocker To: [EMAIL PROTECTED] Sent: Friday, December 05, 2003 4:06 PM Subject: RE: [KCFusion] Depends how secure your site needs to be.  Does it _matter_ whether they're who they said they are?  If so, this solution doesn't work.   For many, many sites, all that matters is that the user be able to log in and that you have an email address for them.  If you require knowing who they are, you'll have to do credit card auth or hand out username/password combos through pre-certified means.   Striking a good balance between security and pissing off your users is always tricky.  If you can describe the kind of site you're building, you'll probably get better suggestions for appropriate solutions.   -glenn   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Adaryl Wakefield Sent: Friday, December 05, 2003 4:03 PM To: [EMAIL PROTECTED] Subject: Re: [KCFusion] This was his argument to wit I said that that assumes that the person on the other end of the email is indeed the right person.   Adaryl Wakefield Aviator by passion Programmer by sheer force of will ----- Original Message ----- From: Glenn Crocker To: [EMAIL PROTECTED] Sent: Friday, December 05, 2003 3:49 PM Subject: RE: [KCFusion] Depends on how secure your site needs to be.   A reasonable middle ground is for users to give their email address, you email them a URL, they click the URL, you ask them to type a password.  Now you know you have a valid email address for them, and they know their password.  (The URL has the effect of the temp password, but feels more convenient to most users.)   -glenn   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Adaryl Wakefield Sent: Friday, December 05, 2003 3:48 PM To: [EMAIL PROTECTED] Subject: [KCFusion] The desinger and I are having a discussion about security. I say that if people want their passwords they have to submit emails and answers to personal questions then I send them a temp password in email that they have to change themselves. He wants to do something more simple like type in your email address and we just send you your password. I think thats horribly insecure but that is the way Macromedia works. Opinions? Adaryl Wakefield Aviator by passion Programmer by sheer force of will