Get Paid to Participate - up to $1 per post!     Twitter     Facebook     Google+
Hosting Discussion
 

Hosting Discussion > Web Hosting Forums > Website Development & Design > Two factor authentication implementation...
forgot password?


Reply


Old
  Post #1 (permalink)   05-17-2016, 05:10 AM
HD Newbie
 
Join Date: May 2016
Posts: 2

Status: slob54 is offline
Hi all.. I am developing a website for my dad's men's wear store. We are planning to add online shopping features to the website. We are considering two factor authentication to prevent unauthorized access and thinking to approach <URL snipped>. What is your opinion on implementing TOTP for the website? Is it more secure? Is it possible to do the two factor authentication by myself? If so, please tell, how can I implement it?Please do reply asap
 
 
 


Old
  Post #2 (permalink)   05-17-2016, 12:50 PM
HD Guru
 
Join Date: Jan 2013
Posts: 750
Send a message via AIM to cheapdedicated Send a message via Yahoo to cheapdedicated Send a message via Skype™ to cheapdedicated

Status: cheapdedicated is offline
If you use wordpress you may consider a plugin called Two Factor Auth
__________________
Techsys Ltd | Dedicated Servers | V.P.S | Free Plesk Panel
G8 Servers cPanel Reseller VPS Reseller Dedicated Server Resellers

G8 Host Cheap Domains | Shared Hosting | SSL
 
 
 


Old
  Post #3 (permalink)   05-17-2016, 05:05 PM
HD Addict
 
Join Date: May 2016
Posts: 222
Send a message via Skype™ to whmcsguru

Status: whmcsguru is offline
One has to ask why.

If major retailers haven't gone down this road, then why would you want to? Target, Walmart, Amazon, Newegg, Ebay... These aren't small sites, and they've all avoided this for now.

It comes down to the amount of time put in vs the amount of frustration and reward. This is one you're probably going to have to rethink. I can't count the number of times I've taken 2fa off of sites just because it just doesn't work as well as it should.

Users get frustrated, they leave when you present them with more complications. That just cost you a customer.
__________________
WHMCS Guru - WHMCS addons, management, support and more.
WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to your WHMCS install!
WHMCS User and IP Extended Control - Take control of your WHMCS install
Linux admin, WHMCS Guru for hire. PM me for more information
 
 
 


Old
  Post #4 (permalink)   05-18-2016, 02:31 AM
HD Newbie
 
Join Date: May 2016
Posts: 2

Status: slob54 is offline
Quote:
Originally Posted by whmcsguru View Post
One has to ask why.

If major retailers haven't gone down this road, then why would you want to? Target, Walmart, Amazon, Newegg, Ebay... These aren't small sites, and they've all avoided this for now.

It comes down to the amount of time put in vs the amount of frustration and reward. This is one you're probably going to have to rethink. I can't count the number of times I've taken 2fa off of sites just because it just doesn't work as well as it should.

Users get frustrated, they leave when you present them with more complications. That just cost you a customer.
Ok.. Then could you please tell me some reliable means to secure the user side?
 
 
 


Old
  Post #5 (permalink)   05-18-2016, 04:53 AM
HD Guru
 
Join Date: Jan 2013
Posts: 750
Send a message via AIM to cheapdedicated Send a message via Yahoo to cheapdedicated Send a message via Skype™ to cheapdedicated

Status: cheapdedicated is offline
Quote:
Originally Posted by slob54 View Post
Ok.. Then could you please tell me some reliable means to secure the user side?
You will need a combination
Install an SSL
Check and limit use of weak passwords
Have security Question added to your system during password recovery.
You may also (If really necessary) demand a password change after X months.
Unless its necessary you may also not store CC

The list is definitely endless just determine what is best suited for you.
__________________
Techsys Ltd | Dedicated Servers | V.P.S | Free Plesk Panel
G8 Servers cPanel Reseller VPS Reseller Dedicated Server Resellers

G8 Host Cheap Domains | Shared Hosting | SSL
 
 


Old
  Post #6 (permalink)   05-18-2016, 08:07 AM
HD Addict
 
Join Date: May 2016
Posts: 222
Send a message via Skype™ to whmcsguru

Status: whmcsguru is offline
I wouldn't really recommend password changes, or password strength requirements, as this will just cause more security issues down the road.

As far as storing their card, don't do it directly, but go with a token based processor, such as Quantum Vault or authorize.net or even stripe. Make them do the heavy lifting for you.

Adding to the above post though, let your users know somehow when they last logged in, what IP from. Why? If they don't recognize it, they'll contact you.

Make sure you store all logins for the customer. Time, date, ip, hostname. Why ? It'll make things much easier for you in the longrun.

Security questions are good, but don't make them too good. Remember, not everyone is married, dating someone, has a car, drives, has a pet. Stick with the basics, and allowing them to write their own question is always a good thing.
__________________
WHMCS Guru - WHMCS addons, management, support and more.
WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to your WHMCS install!
WHMCS User and IP Extended Control - Take control of your WHMCS install
Linux admin, WHMCS Guru for hire. PM me for more information
 
 


Old
  Post #7 (permalink)   05-18-2016, 08:18 AM
HD Wizard
 
easyhostmedia's Avatar
 
Join Date: Mar 2011
Location: Northumberland, UK
Posts: 4,532
Send a message via MSN to easyhostmedia

Status: easyhostmedia is online now
Quote:
Originally Posted by whmcsguru View Post
I wouldn't really recommend password changes, or password strength requirements, as this will just cause more security issues down the road.
How?

You check with any security expert and they will also recommend regular password changes and set up password strength requirements which provides better security.

we have password strength requirements set and have our system set so users are forced to change their passwords every 3 months.
__________________
Terry Robertson - CEO The Easyhost Media Group
Niceday Hosting - Affordable Hosting
PowerSSL - - We Secure your World
The Scamlist Forum - Fighting against scammers
 
 
 


Old
  Post #8 (permalink)   05-18-2016, 08:35 AM
HD Addict
 
Join Date: May 2016
Posts: 222
Send a message via Skype™ to whmcsguru

Status: whmcsguru is offline
Anything you do to frustrate your customers is going to cost you a customer. While many people (myself included) swear by password managers for websites and do come up with some rather complicated ones, the majority do not and won't. If they see you forcing them to change their password, or come up with a complexity they don't like, they'll leave.

Again, look at the example of the major sites and go from there. Yes, there are a few that require password changes, but most do not, and for a reason. Customers tend to just simply walk away, with their pocketbooks in hand.
__________________
WHMCS Guru - WHMCS addons, management, support and more.
WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to your WHMCS install!
WHMCS User and IP Extended Control - Take control of your WHMCS install
Linux admin, WHMCS Guru for hire. PM me for more information
 
 
 


Old
  Post #9 (permalink)   05-18-2016, 08:44 AM
HD Wizard
 
easyhostmedia's Avatar
 
Join Date: Mar 2011
Location: Northumberland, UK
Posts: 4,532
Send a message via MSN to easyhostmedia

Status: easyhostmedia is online now
Quote:
Originally Posted by whmcsguru View Post
Anything you do to frustrate your customers is going to cost you a customer. While many people (myself included) swear by password managers for websites and do come up with some rather complicated ones, the majority do not and won't. If they see you forcing them to change their password, or come up with a complexity they don't like, they'll leave.

Again, look at the example of the major sites and go from there. Yes, there are a few that require password changes, but most do not, and for a reason. Customers tend to just simply walk away, with their pocketbooks in hand.
never lost any customer due to this since i started in 1999.

even WHMCS now require its users to change their passwords on a regular basis.

1 reason many accounts get hacked etc. is due to people using simple word passwords. yes most people wont use password managers, so you need to educate these into making sure their sites are secure in as many ways as possible and if that means them to change their passwords on a regular basis then be it.
__________________
Terry Robertson - CEO The Easyhost Media Group
Niceday Hosting - Affordable Hosting
PowerSSL - - We Secure your World
The Scamlist Forum - Fighting against scammers

Last edited by easyhostmedia : 05-18-2016 at 08:46 AM.
 
 
 


Old
  Post #10 (permalink)   05-18-2016, 08:55 AM
HD Guru
 
Join Date: Jan 2013
Posts: 750
Send a message via AIM to cheapdedicated Send a message via Yahoo to cheapdedicated Send a message via Skype™ to cheapdedicated

Status: cheapdedicated is offline
Quote:
Originally Posted by whmcsguru View Post
Anything you do to frustrate your customers is going to cost you a customer. While many people (myself included) swear by password managers for websites and do come up with some rather complicated ones, the majority do not and won't. If they see you forcing them to change their password, or come up with a complexity they don't like, they'll leave.

Again, look at the example of the major sites and go from there. Yes, there are a few that require password changes, but most do not, and for a reason. Customers tend to just simply walk away, with their pocketbooks in hand.
To the best of our knowledge we have not lost a client due to asking that they pick a fairly secure password BUT even if that were the case, I would rather lose a client than compromize their security because I want it to be so easy for them. To me security is number 1 along that route.
__________________
Techsys Ltd | Dedicated Servers | V.P.S | Free Plesk Panel
G8 Servers cPanel Reseller VPS Reseller Dedicated Server Resellers

G8 Host Cheap Domains | Shared Hosting | SSL
 
 
 
The Following User Says Thank You to cheapdedicated For This Useful Post:
easyhostmedia (05-18-2016)


Old
  Post #11 (permalink)   05-18-2016, 09:13 AM
HD Wizard
 
easyhostmedia's Avatar
 
Join Date: Mar 2011
Location: Northumberland, UK
Posts: 4,532
Send a message via MSN to easyhostmedia

Status: easyhostmedia is online now
Quote:
Originally Posted by cheapdedicated View Post
To the best of our knowledge we have not lost a client due to asking that they pick a fairly secure password BUT even if that were the case, I would rather lose a client than compromize their security because I want it to be so easy for them. To me security is number 1 along that route.
I agree, if a client will not use a secure password then they could compromise the whole server if someone gains access to their site, so are these clients worth keeping.
__________________
Terry Robertson - CEO The Easyhost Media Group
Niceday Hosting - Affordable Hosting
PowerSSL - - We Secure your World
The Scamlist Forum - Fighting against scammers
 
 
 


Old
  Post #12 (permalink)   05-18-2016, 09:18 AM
HD Guru
 
Join Date: Jan 2013
Posts: 750
Send a message via AIM to cheapdedicated Send a message via Yahoo to cheapdedicated Send a message via Skype™ to cheapdedicated

Status: cheapdedicated is offline
Quote:
Originally Posted by easyhostmedia View Post
I agree, if a client will not use a secure password then they could compromise the whole server if someone gains access to their site, so are these clients worth keeping.
By the way as long as you guide the client on what they need in their password to be secure, they very easily follow. Of course since sometimes they may forget the secure password the "Forgot Password" should be easy to see and Use to limit those frustrations.
__________________
Techsys Ltd | Dedicated Servers | V.P.S | Free Plesk Panel
G8 Servers cPanel Reseller VPS Reseller Dedicated Server Resellers

G8 Host Cheap Domains | Shared Hosting | SSL
 
 
 


Old
  Post #13 (permalink)   05-18-2016, 12:55 PM
HD Addict
 
Join Date: May 2016
Posts: 222
Send a message via Skype™ to whmcsguru

Status: whmcsguru is offline
We're not talking hosting accounts here, we're talking a shop, a store. If a hosting client has a bad password, then yes, something could be compromised on the server. If a store has a bad password, well, all that's going to happen is their account will get hacked and someone can order using it. Big, big difference here.
__________________
WHMCS Guru - WHMCS addons, management, support and more.
WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to your WHMCS install!
WHMCS User and IP Extended Control - Take control of your WHMCS install
Linux admin, WHMCS Guru for hire. PM me for more information
 
 
 


Old
  Post #14 (permalink)   05-18-2016, 01:03 PM
HD Wizard
 
easyhostmedia's Avatar
 
Join Date: Mar 2011
Location: Northumberland, UK
Posts: 4,532
Send a message via MSN to easyhostmedia

Status: easyhostmedia is online now
Quote:
Originally Posted by whmcsguru View Post
If a store has a bad password, well, all that's going to happen is their account will get hacked and someone can order using it.
WRONG. what do you store in an account

name
address
DOB
credit card details
etc.

a lot can happen due to weak passwords (ID theft) and even in an online store a sophisticated gang could hack into your account and then find a way into the stores server.
__________________
Terry Robertson - CEO The Easyhost Media Group
Niceday Hosting - Affordable Hosting
PowerSSL - - We Secure your World
The Scamlist Forum - Fighting against scammers
 
 
 


Old
  Post #15 (permalink)   07-26-2016, 05:39 PM
HD Newbie
 
Join Date: Jul 2016
Posts: 35

Status: WiredBladeCom is offline
It is definitely more secure and quite easy to set up. Google 'How to set up two-factor authentication' and you will find plenty useful tutorials. I set up one myself and it took only couple of hours.
 
 
 
Reply
Previous Thread Next Thread


Thread Tools

New Post New Post   Old Post Old Post
Posting Rules:
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Sponsored By: