I make apps for other people

n-Commandments of Identity Security

Posted by Chris Jones
On May 3rd, 2012 at 09:01

Permalink | Trackback | Links In |

Comments Off on n-Commandments of Identity Security
Posted in Tech
  1. Thou shalt encrypt all external communications with thy users
  2. Thou shalt encrypt some internal communications on behalf of they users
  3. Thou shalt keep thy passwords and thy email addresses in distinct and separate stores, as if they were credit card numbers
  4. Thou shalt require encrypted communication with client keys to retrieve passwords and email addresses
  5. Thou shalt never accept an unhashed or plaintext password and thy client will never send one
  6. Thou shalt treat users as salted hashes and never have immediate identification of any user or user action in thy systems
  7. Thy password and username systems shall be accessible only by API or service call and shall be implemented as separate, distinct, and secured networks, achieving defense in depth
  8. Email campaigns shall be built on salted hashes and only the emailer shall have access to user names and email addresses
  9. Customer service systems shall be able to construct salted hashes from user information but shall not keep copies of user names, email addresses, or passwords
  10. Thou shalt disable all default user ids, passwords, keys, and conveniences for thy databases, management systems, and third party tools
  11. Thou shalt never need to send an email to thy customers informing them that their private information has been accessed

Comments are closed.