httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "TD - Sales International Holland B.V." ...@salesint.com>
Subject Re: htpasswd and different kinds of encryption
Date Tue, 08 Jan 2002 13:25:47 GMT
On Tuesday 08 January 2002 12:50, you wrote:

comments inline

> "TD - Sales International Holland B.V." wrote:
> > Could you please give me some starting hints on how to lock an account
> > after 3 times trying the wrong password? I work with .htaccess/.htpasswd
> > files and haven't seen anything like that option in the docs etc.
>
> You'd have to make a CGI script to handle this. The remote user's name
> is available in the environment variable REMOTE_USER so you could keep a
> count of times that user fails login (or if you check in the error_log,
> you always get a message; "user joe: authentication failure.." when a
> login fails). Then you could remove his entry from the password file.
>
> However, at the browser end, you wouldn't get a message "Sorry your 3
> tries are up" - you'd just get "retry" forever.
>

Hmm, I was under the assumption for the user to reach the document (it being 
html, php, cgi or whatever) he/she first had to have the password correct... 
but maybe I can find a tweak for the mod_auth for that or perhaps learn some 
C and tweak it a lil myself. Anyone already done this?

> > ... so I'm really weary (is that the word? :-))
>
> Probably "wary" (careful) - although you might be "weary" (tired) too
>
> :-)
> 

thanks, albeit slowly nowadays my english vocabulary is still growing hehe

> > One other thing I'm
> > worried about is browser cache (not to mention the remembering of
> > username's/passwords. I have a password protected directory at home and
> > if my IE remembers the username/password I don't even see it's a password
> > protected part it just logs in BAD BAD BAD lousy security)..... You have
> > to close the browser for it to forget the password. Now people could log
> > in and after that go to some other site. (say some news site or
> > something). Thinking there's no security issue here they just leave the
> > browser open and next day someone comes by but he/she can access or
> > password protected site without problems since it's still in the cache as
> > long as he/she doesn't close the browser. I consider this a huge security
> > "flaw" as well as the remembering. Any ways to eliminate these security
> > issues?
>
> If you log in to your unix station, do a bit of work then go for a
> coffee, when you come back and find you're still logged in, do you
> consider that a huge security flaw? Maybe you do, but it's the same
> thing. You provide the locking the mechanism but you have no control
> over how a user uses it. If someone wants to leave themself logged in
> you can't stop it.

Yes, but on a descent workstation I might come back to find out that I was 
either logged out automatically or a screensaver which is password protected 
might have popped-up. Besides that, the average user doesn't know about cache 
and probably assumes that the password needs to be reentered if they used the 
same browser to visit another site afterwards, which isn't true. Also, most 
people don't care about security anywhere else than on their own systems.

> Remember that the way HTTP works: every request for a page is a separate
> transaction and each one causes the server to send a 401 "authorisation
> required" message. So the browser MUST cache the user/pass or it would
> have to prompt the user for a password on every link and on every image
> loaded.

True, however, it would be cool if browsers implemented something (or perhaps 
an HTML option you can set with a time-out value) that the password would be 
uncached after like 10 mins or so, or maybe like 15 mins of inactivity. It 
still leaves a risk open but it would surely decrease possibilities. Also it 
would be nice to have an option to forbid the remembering of passwords, which 
I consider a bad option anyways. Auto completing forms is nice, but these 
things should NOT remember creditcard info and passwords. Especially credit 
card info is really dangerous (albeit not for me but the user him/herself)

> Anyway, if what your protecting is that secret - why put it on the web
> at all? It is much more likely to be stolen by a network snooper than by
> someone stealing a password from a browser cache. Don't worry about
> other people reading the screen - that's like sending someone a book and
> worrying about someone else reading it.

I don't care about other people reading the 'book', i would care if they'd 
rip pages out, modified text, etc... 

I'm just curious and I want to try to get this as secure as I can... Not only 
for the security itself, because on this project it isn't that much of an 
issue (but it IS an issue), but I like getting to know about security and 
it's a nice practice to do while I'm doing the project anyways.

Thanks for the reply :-)

> Rgds,
>
> Owen Boyle.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message