The Design of Software (CLOSED)

A public forum for discussing the design of software, from the user interface to the code architecture. Now closed.

The "Design of Software" discussion group has been merged with the main Joel on Software discussion group.

The archives will remain online indefinitely.

Desigining secure online PIM

I am planning to develop a web-based personal information manager using Visual Web Developer 2008 Express Edition SP1. It will contain my bank details, site passwords and user ids, investment record etc. Though very critical, but I want to make these information available on web so that I can access the details anywhere.

I want to know how to create a fool-proof security strategy for making such a website. Where to host this type of site and what security considerations to take for database, web-traffic etc.
K Send private email
Friday, October 17, 2008
 
 
Remember secure information is only as fool proof as the fool who has access to it.
0x90
Friday, October 17, 2008
 
 
Ok, I am that fool who has access to it. Still please suggest.
K
Friday, October 17, 2008
 
 
I have planned in this way:

(1) The Home Page will ask for the UserName and Password.

(2) If the login is succesful, it will ask to enter the Encryption/Decryption Key. The key will not be stored on the site. It will be temporarily cached on the client machine, and will be erased as soon as it's job is over.

(3) Database will contain encrypted values. Encryption Algorithm will be AES 256.

(4) Passwords will be stored as SHA512.

(5) On every successful login, a temporary log will be created and this will be emailed to me when the user has worked on critical parts of the program.

Please suggest further.
K Send private email
Friday, October 17, 2008
 
 
Why do you need access to this information from anywhere?!
cynic
Friday, October 17, 2008
 
 
One possibility is to create a Truecrypt file and use Dropbox.
cynic
Friday, October 17, 2008
 
 
Why have that kind of information online?  Why not use an encrypted  USB key that you carry with you?  Much more secure and convenient.
ps Send private email
Friday, October 17, 2008
 
 
How about an application that you can put on a flash drive or your mobile phone?
ScottK Send private email
Friday, October 17, 2008
 
 
"(5) On every successful login, a temporary log will be created and this will be emailed to me when the user has worked on critical parts of the program."

That way you know that you've been compromised, although knowing after the fact is not really much use.

I don't see the point of this application.

If I were you, I would paste this information into a gmail mail to yourself, then just keep it in your gmail account, so you can access it from anywhere.

Let Google take care of the security.
Scorpio Dragon Send private email
Saturday, October 18, 2008
 
 
If you need to ask this question, you are probably not the right person to be developing this if you believe it is critical to get it right.

Monday, October 20, 2008
 
 

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
 
Powered by FogBugz