httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Richard Peacock" <richard.peac...@minorplanet.com>
Subject RE: [users@httpd] Looking for cheap and secure Authentification - Build own OTP?
Date Thu, 02 Apr 2009 10:18:50 GMT
At work we have a series of changing passwords, they are based around
the date. For example, the least secure of our passwords would be worked
out something like:

9999 - mmdd = password

So if the date is April 02 2009, then the mmdd string would be 0402.
The password would be calculated as

9999 - 0402 = 9597

Although the password would only change once a day, I am sure from this
you could engineer something to change per hour or even minute if
desired?

-----Original Message-----
From: ml@bortal.de [mailto:ml@bortal.de] 
Sent: 02 April 2009 11:12
To: users@httpd.apache.org
Subject: [users@httpd] Looking for cheap and secure Authentification -
Build own OTP?

Hello List,

we would like to protect a Web-Application Server (lets say Outlook 
Webaccess or whatever) by using a Reverse Proxy / Apache. This works out

quite well so far.

- - -

Now we would like to add an Authentification, so that only Users who 
pass the Reverse Proxy auth, will get to the Web-App login. This can be 
done by some htacces and static passwords. The disatvantage is, that 
this are static passwords and they could be stored by keyloggers.  So we

need some kind of one time passwords (OTP).

Is there a way to add some random "salt" to the http authentification?

- - -

I had the following idea (http://i39.tinypic.com/zmyyjs.jpg):

The User gets to some Login Page (PHP) where he enters his 
Username/Password. Then PHP asks him for his 3, 6 and 12 Digit of his 
Passport-ID (this can be random). After submitting this, we could set 
this User/Password+(Append RandomNumber) combinations in a Database 
where htaccess could try to auth against. This would mean, that the user

wold have to enter his Login-Information AGAIN using 
User/Password+(Appended RandomNumber).

Is there a way to get rid of the http access prompt?
Or is there maybe a complete other way to do a secure and cheap OTP 
authentification?

Any ideas?

Cheers,
Mario

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org



**********************************************************************
Privileged/Confidential Information may be contained in this 
message. If you are not the addressee indicated in this 
message (or responsible for delivery of the message to such 
person), you must not copy, distribute or take any action in 
reliance to it.
In such case, you should destroy this message and kindly 
notify the sender by reply email. Please advise immediately 
if you or your employer do not consent to Internet email for 
messages of this kind. Opinions, conclusions and other 
information in this message that do not relate to the official 
business of Minorplanet Systems plc shall be understood as 
neither given nor endorsed by it. Minorplanet Systems plc, Registration no: 3372097
Minorplanet Limited, Registration no: 4072786
Greenwich House, 223 North Street, Leeds, LS7 2AA
VAT #: 698 1438 86
********************************************************************** 
 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message