On Sun, Apr 04, 2004 at 03:15:28PM -0700, Victor Odhner wrote:
> Vic Odhner agrees with Alex:
> PLEASE don't have your system logon passwords
> entered in the clear via HTTP. If you're using
> SSL, that's a little better, but still bad.
>
> The bottom line with security is that it is
> in direct opposition to productivity and
> convenience. You have to compromise security
> to some degree to get anything done. But sending
> passwords out in the clear is an absolute no-no,
> and using the same password for multiple things
> is -- frankly -- lazy and risky. (Of course there
> are real "single sign-on" systems, using Kerberos
> and LDAP, etc., but you really need to do your
> homework when setting up that type of thing.)
>
> Vic
Yes, I realize these implications. Right now this server is simply an
inside deal running on an internal network and a lot of the work on
here is merely accademic so am trying to learn the basics of Apache
administration. I have lots to learn. I can see why most web sites
that require authentication do SSL plus they do their own custom ID /
password dialogs with basic authentication. I read just the other day
how basic realm auth works and I also agree with the scariness of
having password info sent in the clear like that. I figured for
internal local use that using the same password that is used for
machine login would suffice around here and why my original
questions:).
- --
HolmesGrown Solutions
The best solutions for the best price!
http://ld.net/?holmesgrown
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)