Frequently Asked Questions
The following are questions that many customers have asked about WBPS:
How much does it cost?
WBPS can be purchased for $24.95 (US Dollars). Click here to buy WBPS.
Will it run under Microsoft Vista?
Yes. We have conducted extensive tests of WebBuild Password Security in Microsoft Windows Vista. The program will run correctly, provided that you must have the most recent version (currently version 1.1.8). Click here for more information on running under Microsoft Vista, or click here for more information on upgrading your software to the latest version.
Will it run on a Macintosh?
WBPS requires the Windows Operating System. We have several customers who are using WBPS on Mac's, using BootCamp or Parallels. You can use practically any operating system and browser to access sites protected by WBPS, provided that they can run JavaScript and accept cookies.
How can I buy it?
Click the "Free Trial" link in the menu to the left and download a 30-day, fully-functional evaluation copy of WBPS. If you decide to purchase the software, you can click a "Buy Now" button or a "Buy" menu selection within the program.
Do my users have to have any special programs or software?
Visitors who want to log into and access secure areas of a WBPS-protected site need to have browsers that accept cookies and can run JavaScript code.
Is there a limit on the number of users on a WBPS site?
In theory, no. We have successfully conducted laboratory tests of WBPS sites with tens of thousands of users. Unfortunately, such a large number of users leads to large files that may require an inordinate amount of time for users to download and access when they log into your site. As a result, we recommend that a WBPS site not contain more than about 500 users, unless all users have high-speed access to your Web server (as in a corporate Intranet). We are working on a major upgrade to WBPS that will allow it to be used in applications with up to 500,000 users.
Does my server have to have any special software, services, or programs?
No. The server simply needs to be able to serve html (.htm) and JavaScript (.js) pages. You do not have to obtain an SSL certificate or invest in any security software for your server. As a result, WBPS is ideal for Web sites that run on shared or "public" servers, especially those that may be offered for free by your Internet Service Provider.
What is the difference between the free 30-day evaluation and the full version of WBPS?
The evaluation version is fully functional for 30 days. You can use it to create security for live Web sites for as many users as you require. We want you to be satisfied that it works in your environment before asking you to purchase the product.
Thirty days after you first run WBPS, you will no longer be able to run the program. WBPS files that were created with the evaluation version will cease to permit user logins approximately one month after they were created.
The full version is not time-limited after you purchase and register it. You can use it for as long as you want to create security for as many sites and password sets as you need.
How secure is a site protected by WBPS?
Extremely secure. It is almost impossible for an unauthorized user to gain access to WBPS-secured pages through attempting to "hack" or penetrate the protection scheme. It is, however, more probable that such an outsider might gain access through "human engineering". The best password authentication scheme in the world is easy to "crack" if users keep their usernames and passwords on "sticky notes" next to their computers. Consequently, it is important that organizations using WBPS adopt Good Security Practices to minimize the risk that their security is compromised.
It should also be noted that WBPS does not encrypt the transmission of data between a server and a browser. An "eavesdropper" who intercepts data transmissions between an authorized WBPS user and a Web server, might be able to read the content of secure pages at the same time the user does. This is a real danger if any of your users connect to your site -- even occasionally -- via unsecured wireless networks.
As a result, we recommend that WBPS not be used for highly-sensitive data (see next topic) unless it is augmented by an encryption technology like SSL.
The security of a WBPS-protected site also depends on the "guessability" of the names of secure pages. If you give your secure pages obvious names (like "employeepage.htm" or "addresses.html"), then it is possible for an outsider with certain browser settings to guess the pages and access them. If, however, you give your pages names that are difficult to guess, it is highly improbable that an outsider would be able to access and view them. Please see our Security Bulletin on this topic.
Are there sites that should not use WBPS?
As noted above, WBPS is a password-authentication method, but does not encrypt Web communications. WBPS works reliably to grant access to secure pages only to authenticated users, but it does not by itself protect an eavesdropping third party from intercepting the content of secure Web pages. If you need to protect against the possibility of an outsider intercepting your data, you should augment your WBPS security by using an encryption technology like SSL (Secure Sockets Layer).
Without encryption protection, you should not use WBPS for Web sites that contain:
Private or personal information, for example: patients' medical data, account
numbers, social security numbers, credit card numbers, passwords, etc.
Trade secrets or other proprietary information
Any other information that would cause financial loss or other damage if divulged
to unauthorized outsiders
WBPS is a ideal for sites where you want to keep information private, but where the loss of such information is not catastrophic. A good example is an organization that publishes a list of members' names, addresses, phone numbers, and email addresses. It is possible, if unlikely, that some unauthorized person might view a WBPS-protected page with this information, either through intercepting an unencrypted transmission, or by taking advantage of poor security practices. The liklihood that such a person would be able to use this information to cause significant harm is relatively minor in this example.
My site was designed with Cold Fusion/Front Page/Dreamweaver or has ASP/PHP pages. Can I use WBPS?
Yes. When you enter data for the "First Secure Page," just make sure that the page name contains the correct extension, like "SecurePage.asp" or "Customers.php". If the secure page is in a subfolder under your main Web folder, include it in the address: for example, "/data/MemberList.cfm".
Are there ways to make WBPS more secure?
Yes. The easiest thing to do is to ensure that your organization adopts Good Security Practices. This will enable you to realize the maximum amount of protection from WBPS.
Is there any way to tell if my site's security has been compromised or threatened?
WBPS has features that make it possible for you to obtain information about possible attempts to invade your site's security.
For each user, WBPS generates a unique user ID that is conveyed as a query
parameter when he/she successfully logs in and accesses a secure page.
By analysis of the Web server logs for your site, you should be able to develop
"norms" of how often most of your users visit secure pages. If you find one or
two users that are vastly outside of these norms (a user visiting a secure page
50 times a week where the norm is not more than 5), that is an indication that
there may be a security breach (possibly several people are sharing a user's
login credentials). Recommended solution: investigate, discuss the issue with
the user, and change the username and password.
You can also analyze the server logs, with particular attention to the pages where
your users log in. If you see a sudden dramatic increase in the number of times
these pages are requested, that might indicate that a hacker is trying to get into
your secure site by a "brute force" attack.
What are the minimum system requirements for WBPS?
For running the WBPS program to produce the files to secure a Web site, your computer should meet the following minimum requrements:
Processor: 400 MHz or faster.
Operating System: Any version of the Windows OS later than Windows 98.
RAM: 256 mb or greater.
Browser: Microsoft Internet Explorer version 5.5 or later must be installed on your
system (it does not need to be your primary or default browser).
Hard Drive: At least 50 mb of available space.
(There are no minimum requrements for computers your visitors use to log into sites protected by WebBuild Password Security. As long as your users have browsers that can run JavaScript code and accept cookies, they should be able to login and access Secure pages).
What is the difference between securing a site with WBPS and with Secure Sockets Layers (SSL)?
WBPS is a password authentication method that limits access to pages to users who have logged in. SSL is an encryption technology that encodes data transmitted between a browser and a server. SSL, by itself, does not limit access to pages; it merely encrypts data so page content cannot be intercepted and read by an unauthorized party.
WBPS does not encrypt data sent to and from a browser. In theory, pages on a WBPS site could be intercepted and viewed by third parties unless they are encrypted by a method like SSL.
Many sites that use SSL also use other server-based technologies to restrict access to secure areas of their site. SSL can be used in combination with WBPS to secure pages both from unauthorized access and from data interception.
If I have a problem or question, how can I get Technical Support?
The best (and usually the quickest) way to contact our award-winning Tech Support team is to email us at TechSupport@wbps.us. You can also phone us at 1-321-632-0228 during our normal business hours (8:30 AM - 4:30 PM Eastern US Time, Monday-Friday), or contact Skype user: serrem.
Will users with mobile devices (Blackberries, Smart Phones, iPhones) be able to access my site if I use WBPS?
The jury is still out on this question. The problem is that many mobile devices and microcomputers have browsers that don't fully support JavaScript or accept cookies. In general, most recent products and operating systems seem to have more complete support for JavaScript and cookies than do some earlier versions. If you are designing a site to be used by people with such equipment, you should carefully test the range of devices that you expect your users to have.
Can I give my customers a way to automatically register for a secure account?
Is there a way users can automatically reset or change their passwords?
The problem with meeting requirements, such as these, that many of our customers have, is that WBPS was designed so that no processing or data manipulation goes on at the server, making it possible to host WBPS-protected sites on virtually any Web server. Building funtionality like letting users register for accounts or change passwords is very difficult, given these constraints.
We are, howver, working on a major new release of WebBuild Password Security that will incorporate some of our users' requests in this and other areas.
|
|
