Last week I said I'd be upgrading the encryption level of the eMail and password in the I am Blog database. Taking a closer look at it I found that that isn't needed at all. I am already using the highest level of encryption of the stored password in the database available. The only way to increase the password encryption is by adding some stuff myself, and right now I don't think that's really needed, though I might add it a later on when the need arises...|
Then the encryption of the eMail address used. I can be very short on it - NOT GONNA HAPPEN. I hear you wonder why, and it's quite logical. If I encrypt it in a way that it can be decrypted again, a hacker will be able to do the same. I also can't simply use a one-way encryption (hashing), because the eMail address is needed for eMailing the user when comments are posted on their blog and such things.
Then back to the security issue for the eMail address... None there I think. The user can change the eMail address at any time if needed. I can however add a so-called 'account armor' to the I am Blog database, which will be optional (or forced, not sure yet about it). The account armor is a system where IP-addresses used by the user it stored for which they have given permission, which mostly is the PC used to write the blogs with. When the user logs on from a not yet known IP-address, an eMail is sent to the user's registered eMail address, which will include a link (or code) to allow the listed IP-address to be used.
Last but not least (and not mentioned before) are the cookies used for I am Blog. I think I have made those already very secure in the past. I have encrypted those in a way when I created them around 2 years ago, that now when looking into them it took me over an hour to figure out how I did the encryption. I think that if I (as the creator of these cookies) have a hard time figuring out how I did it, a hacker will have an even harder time figuring them out
Of course, one important note about security has to be said. Now I think the security measures are up-to-date, but as time goes by, I have to rethink them to be ahead of potential hackers. Anything that's deemed save now, can be broken tomorrow - just a thought...