How does this work?

[Determined2012]

Disclaimer: Please be easy!!! I do not have a background in any of this stuff---A lot of the stuff I have been reading about for the last 3 weeks on these different forums is stuff that I am seeing or trying to understand for the 1st time ever in life---I know that I have to start somewhere- so I'm going to ask my questions no matter if they sound dumb or not!

I am starting at rock bottom UNDER the rocks- so please bear with me…If these questions are no brainers and or stupid to YOU please do not respond to tell me that! I already KNOW that I DON'T KNOW what I am talking about! If however you can provide an answer, or a link that can explain what I am asking please do that if you can.


1) How do websites ( like Facebook, Twitter, WordPress, Ebay, ) that store user ID and Passwords secure the sensitive information? Is this Domain locking? Sender ID? A combination of security features? (What are the names of those features?)


Can a 3rd party website (arbitrarily) store user id/ passwords for (their) users if users elect (on their own) to put this information in to the 3rd party website? Or would this 3rd party website have to (in advance, or at creation of their site) obtain some type of authorization from the primary site (Facebook, etc.) to collect and store this information to their site?


If the primary website is a banking or other financial type of website, would the process be the same for the 3rd party website to store the sensitive information?


For example: To me, Mint.com is a 3rd party website- You can "house" other websites (online banking websites) that you use elsewhere on the internet INSIDE of their site. What is this called?


Once inside the Mint website you can input your ID and password in for other banks OUTSIDE of the website… Once you do that, Mint has the access to monitor and update your banking details inside of their site.

Does Mint have a pre set agreement with all of the online banking sites that gives them authority to do this? If so what type of agreement is that, and what does it take to get one? Mint.com redirects you to your primary banking site while still being INSIDE of THEIR website-- What is the name of the code or programming that is doing this?

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Steve W]

How do websites ( like Facebook, Twitter, WordPress, Ebay, ) that store user ID and Passwords secure the sensitive information?

Hi

I can't speak for other systems but the way I store passwords is to encrypt the password chosen by the user when they create the account, encrypt a randomly generated string of numbers/letters (this is called salting), join the encrypted sequences together and encrypt that.

The salt & the final encrypted values are stored in a database & authentication is done by performing similar functions on the password the user enters when logging in - if the final encrypted value for the password matches the stored value the user is authenticated.

No system is perfect but this works very well & is simple to do.

HTH...

 

[Felix II]

In regards to Mint, they most likely use what is called the OFX (Open Financial Exchange).
Google it for more information.

Regarding passwords, the basic idea is like Steve said. Your best bet is going to be to get a book on web application security and learn from that.

If you don't know anything about databases, servers, and scripting you should probably start there, or else the security side won't make a whole lot or sense.

What is your intended goal of asking these questions and what is your current knowledge of web development?

 

[Determined2012]

Thank you Steve.

Thank you Felix,
I am going to research OFX.

Learning about databases, servers, and scripting is a good starting point for me also- so thanks for that suggestions.

I am asking these questions because I want to understand how websites keep sensitive information safe. I want to know who (if anybody) can see the actual passwords.

My current knowledge of web development is little to none.

Thank you guys for your help!

Does anyone have any insight on how third party sites work with and access information from primary websites?

I was able to answer my own question:

The answer is OAuth 2.0

"The OAuth 2.0 authorization framework enables a third-party
application to obtain limited access to an HTTP service, either on
behalf of a resource owner by orchestrating an approval interaction
between the resource owner and the HTTP service, or by allowing the
third-party application to obtain access on its own behalf."

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.