[thelist] Login Screen Security

John.Brooking at sappi.com John.Brooking at sappi.com
Fri Nov 14 15:03:12 CST 2003


Josh said:
 >I've been withholding, you're right... but now that you're thinking about
 >all the angles I'll give you a possible solution to the whole thing:

 > ... (brilliant solution outlined) ...

 >All in all, this would work, but man is it a complex solution! I'd
 >suggest you use SSL until something better comes out. :-)

Josh,

  A public thank-you for your suggestion, in addition to the private one I
sent this morning. I said I had a few variations in mind, but I think I've
convinced myself that they don't buy me anything, so forget about that.

  The programmer in me of course wants to implement your solution just
because it's cool, but I want to make sure that that's not the only reason
I'm doing it. The better justification, IMHO, is that my software is not
handling financial information, credit card numbers, or anything else
dealing with personal privacy, so requiring SSL only to have a secure login
screen seems like overkill. Furthermore, I'm targeting my software to very
small non-profits and businesses who in all likelihood are buying space on
an ISP instead of running their own servers. While the businesses may
already have an SSL solution for their sales, the non-profits probably
don't, and I don't want that additional requirement for just a login screen.

  I guess I don't have any other questions, unless you have any more
comments on what I should do. Thanks again for taking the time to address my
question. (And also for the SSL tip I just now noticed that you posted.) I
hope you don't mind my referencing your solution in my own tip below. 

  NOTE TO LIST: In the introduction to my tip previously in the week, I did
not mean to whine. I only meant to imply that I was tempted to, but was
resisting the temptation (except for the first sentence), and was trying to
get attention (yes, I'll admit it) constructively instead.

<tip type="crypt, htpasswd, and security" author="John Brooking">

According to [1], the Apache htpasswd utility uses the Unix/C/Perl crypt or
crypt(3) function ("man crypt" or "perldoc -f crypt") to encrypt its
passwords on the server. However, you should be aware that the password
which the user types into the browser client dialog is sent in plain text to
the server, making it susceptible to packet sniffing.

It is possible to work out a rather complex solution which doesn't involve
sending a plain text password. This requires using crypt on both the client
and server side of a home-grown login screen. See [2] for an example; a
client-side JavaScript implementation is available at [3]. But implementing
your login screen in SSL may be simpler, and is more standard.

[1] http://httpd.apache.org/docs/howto/auth.html
[2] http://lists.evolt.org/archive/Week-of-Mon-20031110/151399.html
[3] http://javascript.internet.com/passwords/unix-crypt(3)-encryption.html

</tip>

Have a good week-end, everyone!

- John
-----------------

This message may contain information which is private, privileged or
confidential and is intended solely for the use of the individual or entity
named in the message. If you are not the intended recipient of this message,
please notify the sender thereof and destroy / delete the message. Neither
the sender nor Sappi Limited (including its subsidiaries and associated
companies) shall incur any liability resulting directly or indirectly from
accessing any of the attached files which may contain a virus or the like. 


More information about the thelist mailing list