httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Montague <m...@catseye.org>
Subject Re: [users@httpd] Could Apache login support CAPTCHA and lockout?
Date Sun, 09 Oct 2011 22:11:40 GMT
On October 9, 2011 17:39 , Neal Rhodes <neall@mnopltd.com> wrote:
> One would suppose from the responses that using .htpasswd and Basic 
> Auth is really a lousy approach to security, since an attacker can 
> just wail away indefinitely trying repeatedly, unless one configured 
> something like fail2ban to cut off repeated attempts.   I was just 
> looking to improve on that if possible.

Actually, Basic Auth is a lousy approach to security because:

- It uses passwords, which are susceptible to being stolen (keyloggers, 
social engineering attacks) or being guessed.  Additionally, most users 
are bad at choosing strong passwords and will re-use passwords between 
multiple sites.

- The hashed passwords are stored on the web server and are readable by 
the web server process.  If the web server is compromised, the attacker 
can copy the .htaccess file and brute-force the passwords offline (e.g., 
using rainbow tables).

- The username and password are sent from the web browser to the web 
server in Base 64 format.  If either web server or the network are 
compromised, the attacker can intercept passwords directly.  (Even if 
HTTPS is used for all authenticated pages).

- As you mentioned, there is no way to log out short of the user closing 
(or resetting/sanitizing) their web browser.

- The user interface for Basic Auth in most web browsers is poor, with 
limited opportunity to customize the authentication process.


Better alternatives include:

- SPNEGO

- one-time passwords (including both sequence-based and time-based 
"token" implementations such as HOTP/OATH)

- web single-sign-on systems, particularly those which centralize all 
handling of passwords and which are designed to remain uncompromised 
even if one of the web servers using it becomes compromised

- client X.509 certificates (either in the web browser or on a hardware 
token)

- passwords combined with any of the above for multi-factor authentication.

Of course, many of these require special things of end users and their 
computers which may not be feasible except in controlled "enterprise 
like" environments.

--
   Mark Montague
   mark@catseye.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message