Pwd64

Pwd64 is a tool for generating basic WWW-authentication tickets. It is intended for use with Templeton©.

How to use Pwd64

The Templeton configuration file allows basic authentication to be configured. This allows completely automated web-page retrieval, without prompting the user for a user name and password.

Basic WWW-authentication requires 3 elements. The realm is a quoted string provided by the WWW server. A user name and password are required from the user. The user name and password are encoded using Base64 -- an insecure encoding method -- and sent to the WWW server as an authentication ticket. Pwd64 allows you to generate the Base64 authentication tickets. You may then include the ticket and the realm (provided by the WWW server) in the configuration file.

To use Pwd64, run the executable at the command prompt. It will ask for the user name and password. (Note: your password will not be echoed to the screen.)

For example, if your user name is "dr.neal" and your password is "templeton" then you would see: 
Pwd64 1.0: Base64 encoding for Basic WWW-Authentication
by N.A. Krawetz
Copyright 1996,1997.  All rights reserved.

Enter user name: dr.neal
Enter password:
  base64 encoded: ZHIubmVhbDp0ZW1wbGV0b24=
The base64 encoded string is the authorization ticket. This string is case sensitive. For the realm "Very Private", you would put in your configuration file: 

Authorize "Very Private" ZHIubmVhbDp0ZW1wbGV0b24=

Where's the realm?

The realm is a quoted string, provided by the WWW server. The easiest way to find the realm is to have Templeton retrieve the protected document. Templeton will display the realm and prompt for a user name and password.

A note about realms: They are not "unique". It is possible for two different web sites to use the same realm but require different user names or passwords. Even worse, it is possible for different documents on the same web server to require different user names and passwords while using the same realm. This occurs when different people setup their own password protection. Different people may use the same realm name, without thinking of uniqueness. Some common realms we have seen are "Secret", "Password", and "Private".

How secure is it?

Even though the documents are protected with a user name and password, they are by no means secure. Base64 encoding does not encrypt the data for protection. Since user names and passwords may contain spaces and other special characters, they cannot easily be transmitted to the WWW server. (The server may try to interpret a space as a separation between words rather than a character in a password.) Base64 encodes the user name and password so the server will not make any mistakes when interpreting the authentication ticket.

Unlike DES, PGP, and other cryptographic encoding schemes, Base64 is easily reversable and not meant for privacy. In fact, anyone can download the specifics for Base64 from the web! Your secret password and user name are transmitted in easy-to-decode text across the world every time you access a protected web document. To reiterate: Base64 encoding is not private and not secure.

Other tools that use Base64 encoding include e-mail and news readers which can view Mime-encoded documents. Mime uses Base64 to encode and decode the document.

[Main Menu]
Document revision: 10 Mar. 1997 for Templeton 1.970
Copyright 1996,1997 N.A. Krawetz
Modification, republication, and redistribution of this document is strictly prohibited. All rights reserved.