SAFE AND
SECURE USING A COMBINATION OF (4)
TOTAL ENCRYPTION TECHNIQUES
Several Levels of Security was put into the
making of this software. Server Side, Script Side and Database side.
It is virtually impossible to decrypt the main admin password. It is
impossible to decrypt user login details stored in the DB w/o main admin
password. So even if anybody gets access to your server or full copy of DB or
even any scripts they won't be able to decrypt your stored details.
Now I do not expect anyone to be
storing their bank account information
which may hold thousands of dollars
within it.
But it's good to
know we've taken every step to secure your data as if you did.
Everything has a limit of
vulnerability. Banks, Government Agencies all are proof of that. The only
way around this is to protect something to the point of those attempting
to break the bank so to speak, is to make it not worth ones trouble. With
LoginManagerPro we use a Combination of (4) Total Encryption Techniques to secure the data and
the ONLY way to decrypt users details is to bruteforce main admin password
(which is virtually impossible as mentioned below) and even than would
need to use another
decryption algorithm. This all requires HIGH dollar equipment and a LOT of
Time.
Quick Summary of the security side of the system:
- It is impossible to bruteforce the system,
- It is impossible to decrypt main login and password even if anybody gets
full DB dump,
- and it is impossible to decrypt stored login details to any system w/o main
admin login and password.
So if anybody gets full access of DB and all scripts they still won't be
able to decrypt your username and passwords!
Using (4) Four Kinds of encryption: (links open
in new window)
Admin Login is encrypted by MD5 hash algorithm and stored in the DB in
the next way:
2a57a5a127743894a0e4a832f2901fc3
Admin password is encrypted by SHA1 hash algorithm and stored in the DB
in
the next way:
dda990ae2033e8aeb5660fc2142ae34c35850c47
These both algorithms are impossible to decrypt that makes impossible
to find out your admin login/password details even if anybody get the DB
To check that what is entered into login form info is really match stored in
the DB login and password inputted data encrypted using the same
algorithms and compared with encrypted data stored in the DB, so it makes
impossible to provide wrong login/password info to login into the
system.
The only one way possible to login inside is bruteforce attack, but as it
was mentioned above it is nearly impossible to use it, because of 15
seconds time out after each unsuccessful try. so it is possible to make 4
login tries per minute only that makes no sense for bruteforcing that
normally requires over at least a few millions tries (e.g. over 2,000
years in our case)...
User's passwords are first encoded by blowfish and than encoded by base64
for DB compliancy. Block of inputted into login manager data looks in the
DB like:
9YTFBux09sbHCadSSlIafM18c/ZSNTQ6fC683kfKJ3Y=
(This Type of string contains your login details to any system - Doesn't
show usernames or passwords at any time).
Key for blowfish encoding is used your original login/password data
that is impossible to decrypt, so it is available to scripts ONLY after a successful login and stored server-side for a short time during your
session in protected form that couldn't be intercepted in any way.
The type of information stored is simply not worth the amount of time and
trouble it takes to decrypt everything just to get to your login details.
Also, Guess what, the information you are using is already stored in a
database already on different servers, and It doesn't have our Total
Encryption Technique applied to it.
If you have any further questions, comments or concerns, please feel
free to contact me at www.customersupport.ws |