Re[2]: Is password good enough?

• To: jazayeri@hpcc117.corp.hp.com, "Robert S. Muhlestein" <robertm@teleport.com>
• Subject: Re[2]: Is password good enough?
• From: Mike.Bremford@mail.bl.uk (Mike Bremford)
• Date: Thu, 4 Apr 1996 15:05:41 +0000
• Cc: www-security@ns2.rutgers.edu

Surely if you use a 'secure' interface like SSL, "sniffing" the passwords while 
in transit won't be a problem. I know you can patch telnet and other such 
programs to use SSL as well for the same reason.

Also, if you create a group, say "http", that your httpd daemon runs as, and 
make the .htaccess and .htpasswd files read only by that group, and not by 
anyone else, then they are as secure as shadow passwords on a UNIX system. (ie 
fairly secure).

                Cheers... Mike

------------

On Wed, 3 Apr 1996, Mariam Jazayeri wrote:

> I would like to know if this group feels password is sufficient for
> protecting sensitive information on Web inside the firewalls.
> I know most document servers provide password protection, but I'm not sure if
> that's good enough to protect sensitive information on the Web?
>
> Any thoughts?

Well, doesn't that depend on the type of authentication to which you are
referring? Ultimately, I tend to agree with those who have told me that if
you trust telnet or FTP, you shouldn't have any trouble trusting web
authentication.  Both travel as loosely encoded flat-text over the wire.

Personally, I feel that if you allow some way for your users to change
their passwords when they suspect tampering you've achieved a practical
level of security.  Passwords which are more difficult to change (i.e.
root) should be reserved for use from behind a firewall only.  The risk of
someone sniffing this out is just too high (although your
chances of being mugged on the street are probably higher than your
password being sniffed).

Of course, if you have many users with shell access .htaccess isn't
acceptable for the simple fact that users can look at the .htpasswd file
for the legal usernames.  Hence the "rule" never use UNIX system account
usernames and passwords for ".htaccess"-type authentication.

This is an interesting question.  I'd love to hear further input from
others since more UNIX-based functionality is moving to some form of web
interface.

Of course, I'm no expert.

Robert Muhlestein
Teleport Creative Services
CGI/Java Guy
cgi@teleport.com

• Re: Re[2]: Is password good enough?
• From: "Robert S. Muhlestein" <robertm@teleport.com>

• Previous: Re: Is password good enough?
• Next: DNS Spoofing and Java
• Index(es):
  • Index
  • Thread