| Author |
 Topic  |
|
@tomic
Senior Member
USA
1790 Posts |
 Posted - 11 December 2002 : 20:50:31
|
Oh, and as far as encryption goes...isn't that only necessary if it's in the database? So it would defeat the purpose of encryption so much as make it unecessary.
I use a shopping system that operates this very way. There is encryption for passwords all right except for the admins.
@tomic |
SportsBettingAcumen.com |
Edited by - @tomic on 11 December 2002 20:51:53 |
 |
|
|
GauravBhabu
Advanced Member
4288 Posts |
Posted - 11 December 2002 : 20:57:39
|
quote:
Originally posted by @tomic
They don't call it the primary Admin for nothing.
@tomic
Primary admin does not mean he should have access to your password. Imagine the President of your Bank(just one example) having access to your banking password.
quote:
I use a shopping system that operates this very way. There is encryption for passwords all right except for the admins.
I will not shop where the shopping system is operated in such a way. |
Edited by - GauravBhabu on 11 December 2002 21:00:01 |
|
|
|
@tomic
Senior Member
USA
1790 Posts |
Posted - 11 December 2002 : 22:14:52
|
quote:
Primary admin does not mean he should have access to your password. Imagine the President of your Bank(just one example) having access to your banking password.
You're kidding right? You think the President couldn't get the password if he or she wanted to?
@tomic |
SportsBettingAcumen.com |
|
|
|
GauravBhabu
Advanced Member
4288 Posts |
Posted - 11 December 2002 : 22:46:07
|
| Call your Bank and ask them if they can access your password. IMO, They have no right to know the account holders account passwords. |
|
|
|
Gremlin
General Help Moderator
New Zealand
7528 Posts |
Posted - 11 December 2002 : 23:14:31
|
| They don't need your password, they already have full access to, and control over your bank account. |
Kiwihosting.Net - The Forum Hosting Specialists
|
|
|
|
@tomic
Senior Member
USA
1790 Posts |
Posted - 11 December 2002 : 23:46:35
|
That's what I mean. You or whoever is the admin and has and should have that level of control. You can download the stinking database if you want. The sky's the limit.
@tomic |
SportsBettingAcumen.com |
|
|
|
BWJM
Junior Member
Canada
193 Posts |
Posted - 12 December 2002 : 02:27:20
|
@tomic is right on with the same wavelength as me. One thing that I would suggest though... Instead of specifying usernames and passwords of the Admins, simply list the memberids of administrators (and possibly by extension moderators too)
Eg:
defineNewAdmin(iMemberID)
defineNewAdmin(iMemberID2)
defineNewModerator(iMemberID3)
This will effectively move the mLev property to a more secure location. The rest of the definition of the users profiles would remain as is. You're doing exactly this right now with the SuperAdmin. Just extend that to the rest of the Admins and perhaps mods too. Instead of querying the database for mLevs, query an array defined in config.asp for example. There are a million fine implementations, but I think I've covered the concept. |
 |
|
|
|
@tomic
Senior Member
USA
1790 Posts |
Posted - 12 December 2002 : 02:45:33
|
I should point out that even though I suggested hard coding the admins and their passwords someone posted a "20 Things Never to do" link and doing this was on this list 
@tomic |
SportsBettingAcumen.com |
|
|
|
BWJM
Junior Member
Canada
193 Posts |
Posted - 12 December 2002 : 02:48:15
|
| lol - passwords I would agree is a no-no, but hardcoding the admins memberids IMHO should be fine. |
|
|
|
|
seahorse
Senior Member
USA
1075 Posts |
Posted - 12 December 2002 : 04:38:06
|
quote:
Originally posted by @tomic
someone posted a "20 Things Never to do" link and doing this was on this list
That would be me. I don't write the articles, I just pass them along...
http://online.securityfocus.com/infocus/1603
|
Ken
===============
Worldwide Partner Group
Microsoft |
Edited by - seahorse on 12 December 2002 04:39:43 |
|
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 12 December 2002 : 06:59:43
|
quote:
Originally posted by @tomic
quote:
Primary admin does not mean he should have access to your password. Imagine the President of your Bank(just one example) having access to your banking password.
You're kidding right? You think the President couldn't get the password if he or she wanted to?
@tomic
Theoratically he can yes, but in the real world this doesn't generaly happen.
At some places I have worked aat in the past, all administrative passwords were kept in sealed envelopes in the company safe, so if anything untoward should happen, the important passwords were available if required. Other than that, nobody has any rights to know your password, and you should not pass on that information to ANYBODY, some compaines will get rid of you if they find you have given your password to someone else, at sensetive companies, users a assigned a new password every month. |
|
|
|
GauravBhabu
Advanced Member
4288 Posts |
Posted - 12 December 2002 : 07:15:05
|
quote:
Originally posted by @tomic
That's what I mean. You or whoever is the admin and has and should have that level of control. @tomic
Having a control is different. Yes! they can lock/freeze/close/charge to your account. But Passwords AFAIK, I receive my password in a sealed envelope and when I call my bank they tell me they have no access to the password as they are encrypted. Only thing they are able to do is reset to a specific password, which I change.
quote:
Originally posted by @tomic
You can download the stinking database if you want. The sky's the limit.
@tomic
Talk about flavor dear.
|
|
|
|
Gremlin
General Help Moderator
New Zealand
7528 Posts |
Posted - 12 December 2002 : 09:22:20
|
| Thing is when you call, you talk to the 'Bankers' not the IT people building and controlling the systems. Sure the bankers probably can't tell you what it is, but I'll bet the IT people can. |
Kiwihosting.Net - The Forum Hosting Specialists
|
|
|
|
GauravBhabu
Advanced Member
4288 Posts |
Posted - 12 December 2002 : 09:36:28
|
| It is the technical people who they transfer to for such requests, at least that is my experience. |
|
|
|
Gremlin
General Help Moderator
New Zealand
7528 Posts |
Posted - 12 December 2002 : 10:49:09
|
| I've been in Banking & Banking IT for about 15 years, certainly from my experiences this side of the world (and many of the RFI's I worked on for overseas banks in Eurpoe and USA) I can say the banks (that includes their helpdesks) will never pass you to IT staff for such a query, even for those banks who run their own inhouse IT (many outsource a large percentage of it) the banking business and the IT business are generally two very separate and independant units, and rarely do they even communicate with each other except via way of a Business Analyst etc. |
Kiwihosting.Net - The Forum Hosting Specialists
|
Edited by - Gremlin on 12 December 2002 10:50:49 |
|
|
|
Topic |
|
Topic Locked
