Currently running a small website which provides downloads of stationery, news info etc to our customers.

They currently can apply online for a password, and if they know their id number (4 digit number so none too hard to work out) we give them a password, which is all done automatically.

We don't do any checks really.

Now we're starting to think about putting specific content out there, management reporting, quote engines etc.

However we've run into the dilemma of how we're going to adminstrate this, our existing process has tons of holes in it. Similarly we can't 100% confirm that the existing users are who they say they are so we're going through a fairly manual process of getting them to re-apply and sign in blood so we know who they are and we give 'superuser' access to the owners of the business only.

So my question is, are there any standard security procedures one should work too. I.e is there a documented standard procedure for the provision of passwords, access rights etc anywhere?

The site will eventually become more of an extranet when it begins to interact with our backoffice systems but we need to get some more stringent policies in place first.

Fire away with questions and answers if possible!

Thanks in advance.

Matthew Purser