From: “David E. Smith” <dsmith@midwest.net>
To: blane@aa.net (Brian C. Lane)
Message Hash: 7a3535f7a07f012aae01836ef1f92dcf56b4f7bbea25445412d605b7d0340f3d
Message ID: <199604092101.QAA23912@cdale1.midwest.net>
Reply To: N/A
UTC Datetime: 1996-04-10 14:23:17 UTC
Raw Date: Wed, 10 Apr 1996 22:23:17 +0800
From: "David E. Smith" <dsmith@midwest.net>
Date: Wed, 10 Apr 1996 22:23:17 +0800
To: blane@aa.net (Brian C. Lane)
Subject: Re: WWW User authentication
Message-ID: <199604092101.QAA23912@cdale1.midwest.net>
MIME-Version: 1.0
Content-Type: text/plain
> I just finished writing a cgi script to allow users to change their login
> passwords via a webpage. I currently have the webpage being authenticated
> with the basic option (uuencoded plaintext). MD5 would be nicer, but how
> many browsers actually support it?
A straight MD5 probably isn't supported by any of them, but then again
MD5 is not necessarily going to help too much. The sort of people
that need a web page to change their password aren't likely to
use overly complex passwords (mixed-case, scrambled-in numbers,
et al.) So if a snoop can get the MD5, her chances of getting a password
aren't all that bad.
> When the user changes their password, the form sends their name, old
> password, and new password with it, in the clear. This is no worse than
> changing your password across a telnet connection, but I'd like it to be
> more secure, but useable by a large number of browsers.
Your best bet is to try to implement it via SSL, but as I understand
it that limits you on your server options quite a bit. Netscape and
Apache have it, as I understand; I think that's about it actually.
But that's far from my areas of expertise.
dave
Return to April 1996
Return to ““David E. Smith” <dsmith@midwest.net>”