I know this could be a very long topic and endless, but because I’m new to handling and understanding website security measures I still can’t tell how secure my user management system has to be.
Based on what I’ve read, security level really depends on what kind of information is going to be handled and used through the website. For me, I most likely will use some basic member/client information such as country, full name, email and maybe the phone number as well.
Now I want to be sure about what I’m doing here; I’m trying to create a user membership system that fits this criteria considering the security as my top priority. I started reading about some terms and what they are used for.
Please correct me if I’m wrong. for example, encryption is being used before sending the data to the database while hashing is being used when authentication is taking place. Now as I understand that hashing with bcrypt is the best practice. so what is the best practice for encrypting data in this case?
I’m not going to use md5 anymore since it is considered to be weak method for encryption.
also what is the level of security do I need in my case?
any good comment is appreciated.
Thanks,
Most of the time you would want to use an existing package to manage these things.
You are correct with your assumptions, confidential information in the database should be encrypted, if not hashed. Passwords should be hashed since you don’t need to retrieve them in plaintext, while a phone number should be encrypted since you want it to be protected while still having access to it in plain form.
If you insist on implementing the security features of your site from scratch, consider blowfish or AES.
There are many possible vectors of attack in a homebrew encryption/authentication suite, make sure you take full advantage of available solutions before reinventing the wheel.
But to answer your question, use blowfish or AES, they’re solid.