[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: WWW User authentication

To: [email protected] (Brian C. Lane)
Subject: Re: WWW User authentication
From: "David E. Smith" <[email protected]>
Date: Tue, 9 Apr 1996 16:12:17 -0600
CC: [email protected]
Comments: Authenticated sender is <dsmith@[204.248.40.2]>
Organization: Bureau 42 Enterprises
Priority: normal
Reply-to: [email protected]
Sender: [email protected]

>   I just finished writing a cgi script to allow users to change their login
> passwords via a webpage. I currently have the webpage being authenticated
> with the basic option (uuencoded plaintext). MD5 would be nicer, but how
> many browsers actually support it?

A straight MD5 probably isn't supported by any of them, but then again
MD5 is not necessarily going to help too much.  The sort of people
that need a web page to change their password aren't likely to
use overly complex passwords (mixed-case, scrambled-in numbers,
et al.)  So if a snoop can get the MD5, her chances of getting a password
aren't all that bad.
 
>   When the user changes their password, the form sends their name, old
> password, and new password with it, in the clear. This is no worse than
> changing your password across a telnet connection, but I'd like it to be
> more secure, but useable by a large number of browsers.

Your best bet is to try to implement it via SSL, but as I understand
it that limits you on your server options quite a bit.  Netscape and
Apache have it, as I understand; I think that's about it actually.
But that's far from my areas of expertise.


dave

Follow-Ups:
- Re: WWW User authentication
  - From: [email protected] (Brian C. Lane)

Prev by Date: Re: Job at C2.NET
Next by Date: Re: Bulletin: Cypherpunks say no taxes owed by moneychanger
Prev by thread: Re: WWW User authentication
Next by thread: Re: WWW User authentication
Index(es):
- Date
- Thread