Security Procedures - Passwords etc

[matthew purser]

Currently running a small website which provides downloads of stationery, news info etc to our customers.

They currently can apply online for a password, and if they know their id number (4 digit number so none too hard to work out) we give them a password, which is all done automatically.

We don't do any checks really.

Now we're starting to think about putting specific content out there, management reporting, quote engines etc.

However we've run into the dilemma of how we're going to adminstrate this, our existing process has tons of holes in it. Similarly we can't 100% confirm that the existing users are who they say they are so we're going through a fairly manual process of getting them to re-apply and sign in blood so we know who they are and we give 'superuser' access to the owners of the business only.

So my question is, are there any standard security procedures one should work too. I.e is there a documented standard procedure for the provision of passwords, access rights etc anywhere?

The site will eventually become more of an extranet when it begins to interact with our backoffice systems but we need to get some more stringent policies in place first.

Fire away with questions and answers if possible!

Thanks in advance.

Matthew Purser

[rkissel]

Hi Matthew,
There is a considerable amount of guidance/best practices on passwords, etc on http://csrc.nist.gov/publications/
Questions? Email me.
Rich

[leeman]

This is not so much an answer to your issue, but rather a similar question. I am having difficulty accessing the internet with my NIS enabled. I can surf freely with it disabled. I cannot seem to adjust the sensitivity of the security/privacy settings to resolve this matter. Any thoughts?