Re: WWW User authentication
I just finished writing a cgi script to allow users to change their login passwords via a webpage. I currently have the webpage being authenticated with the basic option (uuencoded plaintext). MD5 would be nicer, but how many browsers actually support it?
A straight MD5 probably isn't supported by any of them, but then again MD5 is not necessarily going to help too much. The sort of people that need a web page to change their password aren't likely to use overly complex passwords (mixed-case, scrambled-in numbers, et al.) So if a snoop can get the MD5, her chances of getting a password aren't all that bad.
When the user changes their password, the form sends their name, old password, and new password with it, in the clear. This is no worse than changing your password across a telnet connection, but I'd like it to be more secure, but useable by a large number of browsers.
Your best bet is to try to implement it via SSL, but as I understand it that limits you on your server options quite a bit. Netscape and Apache have it, as I understand; I think that's about it actually. But that's far from my areas of expertise. dave
On Tue, 9 Apr 1996 16:12:17 -0600, you wrote:
I just finished writing a cgi script to allow users to change their login passwords via a webpage. I currently have the webpage being authenticated with the basic option (uuencoded plaintext). MD5 would be nicer, but how many browsers actually support it?
A straight MD5 probably isn't supported by any of them, but then again MD5 is not necessarily going to help too much. The sort of people that need a web page to change their password aren't likely to use overly complex passwords (mixed-case, scrambled-in numbers, et al.) So if a snoop can get the MD5, her chances of getting a password aren't all that bad.
Hey! I'm not a total dunce! <G> The cgi I wrote (ok, ok, hacked) includes cracklib support. It won't let people enter simple passwords.
Your best bet is to try to implement it via SSL, but as I understand it that limits you on your server options quite a bit. Netscape and Apache have it, as I understand; I think that's about it actually. But that's far from my areas of expertise.
Yep, that's about it. And they want you to pay for using it in a commercial venture (which my system will be eventually), and I can't justify (or afford) the expense. Brian ------- <blane@aa.net> -------------------- <http://www.aa.net/~blane> ------- Embedded Systems Programmer, EET Student, Interactive Fiction author (RSN!) ============== 11 99 3D DB 63 4D 0B 22 15 DC 5A 12 71 DE EE 36 ============
participants (2)
-
blane@aa.net -
David E. Smith