n9ne — 2012-03-27T06:42:07-04:00 — #1
I'm creating a website which will have various pages/functionality/information (PHP & MySQL) which is restricted based on who is viewing it. It is relevant to the employees of my organisation, but they will be based around the world. Security is paramount so I am trying to find ways to ensure unauthorised access is minimised. It will have the following security levels/features:
- User access control. Unregistered users have no access.
- Users are placed into usergroups. Usergroups are assigned permissions based on various pages/actions.
- There will be an Admin usergroup which cannot be edited by non-admins. Some permissions will also be restricted to this usergroup.
- There will be a superadmin who cannot be edited by anyone else regardless of admin status.
- all actions that impact the database are logged with IP, time, user info
- md5 or sha1 encryption on passwords and combination with 'salt' from user's database entry.
- access is controlled via session hashes.
- 10 failed logins -> blocked for x hours
- failed logins are logged & emailed to predetermined users' email addresses
- all successful logins are also monitored. If the geographical location of the login differs from the previous login on the same account, this is flagged and emailed.
Now the problem I'm having is if someone gets hold of someone else's password, there's not much else that I can do. The security stops there. What I'm looking for is further security steps in front of this.
One idea I have is a daily, random, "global" password in addition to user account passwords. This will be generated everyday (say at 2am) and emailed to "supervisors" who will actually meet or are in regular contact with people likely to use the website/system. That way, even if someone gets hold of someone's password, without knowing that day's global password, they won't be able to get in. This means any potential unauthorised entry will require knowing someone in the organisation who has the global password and is willing to give it over.
I could also check if the same account logs in from different geo locations in the same x hours/day.
Perhaps even more stringent security would be that upon registration of a user, they have to register their access points which binds their account to certain IPs.
Does anyone have any tips on hardening security? I don't mind ideas which are a little inconvenient for the users, because they are employees of an organisation so they don't require so much flexibility in access.
jake_arkinstall — 2012-03-27T06:55:19-04:00 — #2
If your employees travel, binding their account to an IP address is a failure waiting to happen, so don't go thinking about that until you're confident that your method is foolproof. Also static IPs aren't always viable, so even someone sitting at the same desk might have different IP addresses from day to day.
The global password could be sent out via SMS rather than requiring people to meet up daily - that prevents problems due to incompetence.
n9ne — 2012-03-27T07:39:48-04:00 — #3
Nice idea on the SMS. Definitely something I'll look into.
Re: travelling employees, I think I will have to think about this one. In most cases, employees will not travel. It will only be the senior management that will be travelling.
This has got me thinking about online banking security. Those little keypads that they give out - I wonder how costly these might be? A cheap solution to generate codes that match up might be worth considering too. This will alleviate the travelling problem somewhat.
guido2004 — 2012-03-27T08:04:50-04:00 — #4
Nowadays banks don't use those little keypads anymore (my bank still does, actually, but they're 10 years behind all others ), they send those codes in a SMS. Much more convenient, no need to bring extra stuff with you, your cell phone is enough.
n9ne — 2012-03-27T08:18:03-04:00 — #5
Really? It sounds like you're not in the UK then because most banks seem to still use those pesky card readers still!