Association Web Security Needs Are Different

The security needs of a member based association web site are likely to be different than those of other web sites in several ways. One is that a member based web site that delivers member benefits directly via the web may have more complex security needs than the typical web site that is entirely public or that distinguishes only between public and private areas. This will be true if member benefits depend on levels of membership or participation in different sub groups.

Associations have an overriding need to accurately match members who come to an association web site to that member's membership record. This is quite unlike the needs of purely e-commerce web sites or web sites that are part of a traditional business. At purely e-commerce sites, new customers will create new customer records when they first make a purchase. At that time they will use their e-mail address or choose a unique username or be assigned a unique username. From that point forward the username will uniquely identify the customer in his or her dealings with the online merchant.

Even if the customer forgets their username and password, this is not likely to be a serious issue for either the customer or the web site. If the customer had pending orders, they are still likely to be delivered correctly. If the customer reregisters under a new username, all the web site loses is some marketing information. If the customer's username is their e-mail address, the web site is likely to have an automated mechanism that will send the customer their password, admittedly in plain text, but as a practical matter the likelihood of it being intercepted are miniscule. A more sophisticated scheme would e-mail a generated URL to the customer. The customer could then use that URL to retrieve the password on an SSL encrypted web page that is created uniquely for the customer based on the URL.

A traditional business with a web site may or may not attempt to match new web customers with existing customers from their offline customer database. If they do attempt to make the match this will be for profiling and targeted marketing purposes. If a mismatch is made it won't create a situation where one customer pays for goods or services that are delivered to a different customer. Store customers will pay for goods when they pick them up and online customers will provide or confirm credit card and shipping information for each purchase that they make. About the worst that's likely to happen if the retailer mismatches online and offline customers will be that a customer gets advertisements or offers of little or no interest to them.

An association has a very different problem. Typically a member pays dues on an annual basis. Throughout the year some significant portion of the member benefits that those dues pay for are delivered to an address that's stored in the member database. For a membership system to continue to work, an association must match its members who come to the web site for the first time with their member record in the central database.

The matches must be correct whether the member originally provided their real first name or a nick name, a middle initial, or any titles or suffixes. The match must be correct regardless of whether the member previously used a business address, home address or post office box or even if the member has moved since they previously provided their address. Their reason for coming to the web site might be to change some of their personal information. Anyone who has de-dupped records obtained from multiple sources for promotional purposes knows how difficult it is to get entirely accurate computer matches. Any large association and many small ones will have multiple members with the same name. The match between a new web visitor and the central database member record must be made correctly the first time or two different member's histories will become inextricably entwined.

There is only one piece of information that can be requested from members when they come to the web site for the first time that will reliably match them to their member database record. That is the member ID number assigned by the membership database. Members may not know this number but are likely to be able to find it on subscription labels, member cards or other association communications. They also need to be asked at least one other piece of information that must match with the data stored in the member record for the provided ID number. The obvious piece is the member's last name. Without this, anyone could come to the web site and start entering numbers until a valid one was found. Matching will be complicated if the last name field contains any other data such as suffixes.

For associations that have greater than normal security requirements one or more additional pieces of information should be solicited and matched to the member database. This should be information that the member is likely to know or can obtain easily and that the general public cannot obtain easily. It should also be data that the member will likely enter in the same format as it is stored in the member database or that can easily be made to match by forcing all characters to upper or lower case or removing punctuation or other simple transformations.

This same information could be requested each time a member came to use the web site but the system will be easier to use if this is the first step of an online registration procedure in which the member creates a username and password for future use. Unlike most online systems, an e-mail address may not make good sense for use as a username. If the membership comes from professionals in very small companies, some of them will share e-mail addresses. Such associations can let members assign themselves usernames on a first come, first serve basis.

Allowing members to assign themselves passwords is a little tricker. If there are no controls on either username or password and the online memberships is large, there will be some combinations that are like john:john, david:david or mary:mary. Just going down common first and last name lists is likely to get an intruder one or more valid member usernames and passwords. If pseudo randomly generated passwords are assigned, there will likely be complaints that they are too hard and they will almost certainly be placed where family or coworkers can easily find them. Depending on the association, this may or may not be a problem.

A set of rules that I've used that tends to result in decent passwords requires a minimum of six characters. There must be at least one letter and at least one non letter. Also neither the password nor the username may be fully contained within the other. Note however that all but one of the bad passwords that I gave as examples meets these requirements. As of mid 2012, I would increase the minimum to eight and maybe add mixed case to the requirements. How good the passwords should be is a matter of who you are, who do you not want to have access, and what steps to you take to verify that your members are who and what they claim to be when they first apply for membership.

Top of Page - Site Map

Copyright © 2000 - 2014 by George Shaffer. This material may be distributed only subject to the terms and conditions set forth in http://GeodSoft.com/terms.htm (or http://GeodSoft.com/cgi-bin/terms.pl). These terms are subject to change. Distribution is subject to the current terms, or at the choice of the distributor, those in an earlier, digitally signed electronic copy of http://GeodSoft.com/terms.htm (or cgi-bin/terms.pl) from the time of the distribution. Distribution of substantively modified versions of GeodSoft content is prohibited without the explicit written permission of George Shaffer. Distribution of the work or derivatives of the work, in whole or in part, for commercial purposes is prohibited unless prior written permission is obtained from George Shaffer. Distribution in accordance with these terms, for unrestricted and uncompensated public access, non profit, or internal company use is allowed.