[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How can I change a password from a script?

On Fri, Dec 03, 1999 at 04:57:51PM -0500, Nick Cabatoff wrote:

> How do you prevent people from cracking passwords via your web page?
> I'm still looking for a secure way to accept passwords via HTML - even
> with SSL, from what I understand the available authentication stuff
> isn't suitable for use with /etc/passwd.  It's too easy for someone
> to write a brute-force password scanner that won't leave traces.

I don't have problems like this because it's an intranet server and all
connections from outside are blocked by ipchains rules, since they haven't any
reason to be; you could, however, use SSL just to have an encrypted channel,
and provide a page to authenticate the user, set a SSL-only cookie with an
authorization token and use that for the following session.

Password scanners leave traces in your web logs, and you could block too many
consecutive attempts from the same IP, while SSL is protecting user data and
authorization tokens.

I don't see any problems with this; if you do, however, let me know, because
that's what I would use, and I'm probably going to have a need for it in a
couple of months. :-)

				Read you soon! Enrico

GPG public key available on finger -l zinie@cs.unibo.it

Reply to: