Association Web Security Needs Are Different
The security needs of a member based association web site are
likely to be different than those of other web sites in several
ways. One is that a member based web site that delivers member
benefits directly via the web may have more complex security
needs than the typical web site that is entirely public or that
distinguishes only between public and private areas. This will
be true if member benefits depend on levels of membership or
participation in different sub groups.
Associations have an overriding need to accurately match members
who come to an association web site to that member's
membership record. This is quite unlike the needs of purely
e-commerce web sites or web sites that are part of a traditional
business. At purely e-commerce sites, new customers will
create new customer records when they first make a purchase.
At that time they will use their e-mail address or choose a
unique username or be assigned a unique username. From that
point forward the username will uniquely identify the customer in
his or her dealings with the online merchant.
Even if the customer forgets their username and password, this is
not likely to be a serious issue for either the customer or the
web site. If the customer had pending orders, they are still likely
to be delivered correctly. If the customer reregisters under a new
username, all the web site loses is some marketing information. If
the customer's username is their e-mail address, the web site is
likely to have an automated mechanism that will send the customer
their password, admittedly in plain text, but as a practical matter
the likelihood of it being intercepted are miniscule. A more
sophisticated scheme would e-mail a generated URL to the customer.
The customer could then use that URL to retrieve the password on
an SSL encrypted web page that is created uniquely for the
customer based on the URL.
A traditional business with a web site may or may not attempt to
match new web customers with existing customers from their offline
customer database. If they do attempt to make the match this
will be for profiling and targeted marketing purposes. If a
mismatch is made it won't create a situation where one customer
pays for goods or services that are delivered to a different
customer. Store customers will pay for goods when they pick them
up and online customers will provide or confirm credit card and
shipping information for each purchase that they make. About the
worst that's likely to happen if the retailer mismatches online
and offline customers will be that a customer gets advertisements
or offers of little or no interest to them.
An association has a very different problem. Typically a member
pays dues on an annual basis. Throughout the year some
significant portion of the member benefits that those dues pay
for are delivered to an address that's stored in the member
database. For a membership system to continue to work, an
association must match its members who come to the web site for
the first time with their member record in the central database.
The matches must be correct whether the member originally
provided their real first name or a nick name, a middle initial,
or any titles or suffixes. The match must be correct regardless
of whether the member previously used a business address, home
address or post office box or even if the member has moved since
they previously provided their address. Their reason for coming
to the web site might be to change some of their personal
information. Anyone who has de-dupped records obtained from
multiple sources for promotional purposes knows how difficult it
is to get entirely accurate computer matches. Any large
association and many small ones will have multiple members with
the same name. The match between a new web visitor and the
central database member record must be made correctly the first
time or two different member's histories will become inextricably
entwined.
There is only one piece of information that can be requested from
members when they come to the web site for the first time
that will reliably match them to their
member database record. That is the member ID number assigned by
the membership database. Members may not know this number but are likely to
be able to find it on subscription labels, member cards or other
association communications. They also need to be asked at least
one other piece of information that must match with the data
stored in the member record for the provided ID number. The
obvious piece is the member's last name. Without this, anyone
could come to the web site and start entering numbers until a
valid one was found. Matching will be complicated if the last
name field contains any other data such as suffixes.
For associations that have greater than normal security
requirements one or more additional pieces of information should
be solicited and matched to the member database. This should be
information that the member is likely to know or can obtain
easily and that the general public cannot obtain easily. It
should also be data that the member will likely enter in the same
format as it is stored in the member database or that can easily
be made to match by forcing all characters to upper or lower case
or removing punctuation or other simple transformations.
This same information could be requested each time a member came
to use the web site but the system will be easier to use if this
is the first step of an online registration procedure in which
the member creates a username and password for future use. Unlike
most online systems, an e-mail address may not make good sense
for use as a username. If the membership comes from professionals in
very small companies, some of them will share e-mail addresses.
Such associations can let members assign themselves usernames on
a first come, first serve basis.
Allowing members to assign themselves passwords is a little
tricker. If there are no controls on either username or password
and the online memberships is large, there will be some
combinations that are like john:john, david:david or mary:mary.
Just going down common first and last name lists is likely to get
an intruder one or more valid member usernames and passwords. If
pseudo randomly generated passwords are assigned, there will
likely be complaints that they are too hard and they will almost
certainly be placed where family or coworkers can easily find
them. Depending on the association, this may or may not be a
problem.
A set of rules that I've used that tends to result in decent
passwords requires a minimum of six characters. There must be at
least one letter and at least one non letter. Also neither the
password nor the username may be fully contained within the
other. Note however that all but one of the bad passwords that I
gave as examples meets these requirements. As of mid 2012,
I would increase the minimum to eight and maybe add mixed case to the
requirements. How good the passwords should be is a matter of who
you are, who do you not want to have access, and what steps to you
take to verify that your members are who and what they claim to be
when they first apply for membership.
Top of Page -
Site Map
Copyright © 2000 - 2014 by George Shaffer. This material may be
distributed only subject to the terms and conditions set forth in
http://GeodSoft.com/terms.htm
(or http://GeodSoft.com/cgi-bin/terms.pl).
These terms are subject to change. Distribution is subject to
the current terms, or at the choice of the distributor, those
in an earlier, digitally signed electronic copy of
http://GeodSoft.com/terms.htm (or cgi-bin/terms.pl) from the
time of the distribution. Distribution of substantively modified
versions of GeodSoft content is prohibited without the explicit written
permission of George Shaffer. Distribution of the work or derivatives
of the work, in whole or in part, for commercial purposes is prohibited
unless prior written permission is obtained from George Shaffer.
Distribution in accordance with these terms, for unrestricted and
uncompensated public access, non profit, or internal company use is
allowed.
|