| Blockbuster sites, amazing reunions

Share Tips

New Topic Reply Subscription Options  

Alternate security method

Forums: Suggestions and Feedback
Created on: 09/08/08 07:37 AM Views: 1608 Replies: 3
Monday, September 8, 2008 at 7:37 AM

Allow the administrator to choose the method of securing the website from classmates and others who have not set up a profile. The current method requires the administrator to send a "system Password" to access the system.

The proposed alternate (optional) security method is to allow the administrator to set-up (up to) three security questions that the user can choose from a drop-down list of questions. They then provide the answer in an input box. If the answer matches what is stored in the database, they are allowed access to the password protected pages.

For example, the admin could set up the following questions (displayed on the security page in a drop-down that can be chosen by the user):

1. What was the last name of the choir teacher?
2. What was the school mascot?
3. What was the last name of the student body president?

At the same time that the admin chooses the questions, he provides the answers that are stored in the database. The questions can be any question that the admin can think up that alumni or more specifically classmates would know the answer.

If the security question is answered correctly (not case sensitive), the user is granted access to the password protected pages. If the answer to the security questions are unknown, the person trying to gain access would still have the option to contact the admin for a system password.

The advantages to this method is that the admin doesn't need to know the e-mail addresses of the classmates. Alumni from different graduating classes at the same high school could know the answers and gain access to the password protected pages (not quite as secure as a system password). Hackers not familiar with the high school probably would not know the answers and not care to research the answers.

I propose that this method of security would be optional and if enabled would be in addition to the system password, but only one or the other would be required to gain access to the password protected pages.

I know - I sound like I am a security freak.

Monday, September 8, 2008 at 1:09 PM - Response #1

Nah no you don't. Security is a good thing. Unfortunately I actually find this to be a little on the insecure side (although I truly appreciate the creative recommendation).

1) As you mentioned, we'd have to make the 3 answers a dropdown. We could never rely on somebody's spelling to get in. But 3 answers really don't provide very many combinations. If 3 questions each had 3 dropdown answers, I'd be in within 5 minutes whether I knew the answers or not, just by trying various combinations. The more answers you create the harder it would be, but I think in many cases this would be pretty easily hacked.

2) Only 4% of schools password protect their Classmate Profiles page. The only people who could possibly use this alternate security method would be those 4% -- it's a major addition that 96% of schools would never use.

3) It adds another level of complexity to security. While it's a very creative idea, it's one more security option for new admins to understand and have to choose from. There's definitely beauty in simplicity.

4) Finally, we have yet another new security feature coming already that will prevent hijacking for either those schools who are having a current problem with it, or those schools who want to error on the side of caution. It will be included in the new Preferences area, which you can read about here.

Unfortunately if you password protect something and you want to get a non Classmate in, you'll still have to give out the system password. But then, there are trade-offs for having a page secured.

Your suggestions are creative and interesting. Please don't let me "shooting something down" stop you from making more suggestions. All suggestions are appreciated.

Monday, September 8, 2008 at 1:32 PM - Response #2

Only certain pages of my site are password protected.

I entered this request this morning. AFTER entering this request, I checked my class website and noticed that a "classmate" had registered, but when I looked at his info, it was just someone (a porn pusher) trying to hijack the classmate, so I just deleted the classmate and re-added him. It was my first experience with a hijacker.

I have checked out the new PREFERENCES pages, they are nice. For the "New Classmate Access Rights" in the new preferences area, when I change the access rights to "Verified", will there then be an E-mail that goes out to the classmate informing them that they have been verified? Would the Verifying process be something like just looking at their profile information to make sure it is not just a pornographer trying to get in?

Thanks for the great website. I showed my website to my dad (74 years old) and now he has created one for his graduating class - no help from me.

Monday, September 8, 2008 at 1:56 PM - Response #3

Great! Go dad!

You did the right thing -- if you get hijacked, immediately delete entire account, and re-enter Classmate's name. Most hijackers are looking for some way to mass communicate with the public, or mass email to a list. It's impossible even if they succeed in their hijacking. Thus they get discouraged and go away pretty quickly. Especially if you delete their "work" immediately, and it quickly becomes clear they will not get very far.

No, we have no email slated after account validation, but any restricted page the Classmate tries to access will bring up a message saying their account is awaiting validation. They'll know quite quickly exactly what's going on, and that they'll be able to access any protected pages or profiles shortly (once approved by the Admin).

Edited 09/08/08 1:56 PM
New Topic Reply  
Subscription Options: Have all new forum posts sent directly to your email.
Subscription options are available after you log in.