From: blane@aa.net (Brian C. Lane)
To: cypherpunks@toad.com
Message Hash: b0d634fd1d7dc76adb2f5d40e673b016568888aa0100826ccc6c4ad7affa5565
Message ID: <316c8d64.18461422@mail.aa.net>
Reply To: <199604092101.QAA23912@cdale1.midwest.net>
UTC Datetime: 1996-04-11 22:36:17 UTC
Raw Date: Fri, 12 Apr 1996 06:36:17 +0800
From: blane@aa.net (Brian C. Lane)
Date: Fri, 12 Apr 1996 06:36:17 +0800
To: cypherpunks@toad.com
Subject: Re: WWW User authentication
In-Reply-To: <199604092101.QAA23912@cdale1.midwest.net>
Message-ID: <316c8d64.18461422@mail.aa.net>
MIME-Version: 1.0
Content-Type: text/plain
On Tue, 9 Apr 1996 16:12:17 -0600, you wrote:
>> I just finished writing a cgi script to allow users to change their login
>> passwords via a webpage. I currently have the webpage being authenticated
>> with the basic option (uuencoded plaintext). MD5 would be nicer, but how
>> many browsers actually support it?
>
>A straight MD5 probably isn't supported by any of them, but then again
>MD5 is not necessarily going to help too much. The sort of people
>that need a web page to change their password aren't likely to
>use overly complex passwords (mixed-case, scrambled-in numbers,
>et al.) So if a snoop can get the MD5, her chances of getting a password
>aren't all that bad.
Hey! I'm not a total dunce! <G> The cgi I wrote (ok, ok, hacked) includes
cracklib support. It won't let people enter simple passwords.
>Your best bet is to try to implement it via SSL, but as I understand
>it that limits you on your server options quite a bit. Netscape and
>Apache have it, as I understand; I think that's about it actually.
>But that's far from my areas of expertise.
Yep, that's about it. And they want you to pay for using it in a
commercial venture (which my system will be eventually), and I can't
justify (or afford) the expense.
Brian
------- <blane@aa.net> -------------------- <http://www.aa.net/~blane> -------
Embedded Systems Programmer, EET Student, Interactive Fiction author (RSN!)
============== 11 99 3D DB 63 4D 0B 22 15 DC 5A 12 71 DE EE 36 ============
Return to April 1996
Return to ““David E. Smith” <dsmith@midwest.net>”