It is important to realize that even a small website, even it is not profiting, should give importance to the security. Many users use the same password or a little variation of it when registering at many websites. So, a compromise to the password at your small website can lead to a bigger problem at a more serious website for your user.
Here are a few tips on how to ensure there is a decent level of security on your site
1. Always ensure to one-way encrypt user passwords. You only compare the encrypted password with the encrypted user-input at the login time to see if they match. With this model, there is no password retrieval mechanism. User has to request for resetting the password and you just send an email with a url containing a large key that’s hard to guess and when the user clicks the url, you can let the user reset the password.
2. A lot of code on the web shows hard-coded password when connecting to the database. For example, in perl it would be something like
$con = DBI->connect(‘dbi:mysql:your-database:localhost’,’your-db-name’,’plain-text-password’);
As there is no connection pooling or an application level connection management with simple cgi-scripts, the tendency is to have the above piece of code in each cgi-script. This essentially means that the database password has been written in plain text in multiple files. One choice is to put the connect statement in a file and include it into all the scripts that require database connection. With this, it’s easy to change the database details as necessary in a central place. In addition, ensuring proper read file permissions to this single file is sufficient to a large extent.