[Previous] [Next] [Index]
[Thread]
Re: Change password...
S.W. Cheung wrote:
=>
=>Dear All:
=>
=>I put a Web page in my server to allowing user to change password. I
=>use the cgi program "change-password" from NCSA (Sorry if I am wrong).
=>It seems it worked fine.
=>
=>However, I encounter a problem that when the user change the password
=>with the page, they cannot login again with either old or new password.
=>
=>I find out that the encryted string for the changed password becomes
=>"p4..........." in the password files...
=>
=>What's wrong with my setup?
Hi,
errr.. can I say 'everything' without sounding offensive????
First, I think you will find that the 'change-passwd' program does not
match the standard Unix 'passwd' program exactly. As such, you may be
screwing your UNIX password file into the ground, so that NONE of your
users will be able to login!!!
Second, depending on what method you use for transfer of data between the
WebPage and the WebServer, you may be leaving yourself open to 'other'
people finding out the user's new password. It has something to do with
HTTP-type text transfers generally taking place as fairly easily readable
text inputs. As such, an 'enlightened' user could either 'tap' the
connection, or maybe even just get the WebPage to redirect it's ouput on a
second try so that they would have a copy of the new password.
I think you may be falling into the traps that seemed to arise, and be
talked a lot about, early last year. The Web is a great place for
information provision. It is not YET fully ready, IMHO, to become the
front-end for a user session to the operating system.
Steff
References: