[1783] in WWW Security List Archive
Re: Is password good enough?
daemon@ATHENA.MIT.EDU (Prentiss Riddle)
Thu Apr 4 11:56:34 1996
From: Prentiss Riddle <riddle@is.rice.edu>
To: robertm@teleport.com (Robert S. Muhlestein), www-security@ns2.rutgers.edu
Date: Thu, 4 Apr 1996 08:25:10 -0600 (CST)
Cc: jazayeri@hpcc117.corp.hp.com
In-Reply-To: <Pine.SUN.3.92.960403164449.25342o-100000@zoe.teleport.com> from "Robert S. Muhlestein" at Apr 3, 96 05:00:56 pm
Errors-To: owner-www-security@ns2.rutgers.edu
| Date: Wed, 3 Apr 1996 17:00:56 -0800 (PST)
| From: "Robert S. Muhlestein" <robertm@teleport.com>
| To: Mariam Jazayeri <jazayeri@hpcc117.corp.hp.com>
| Subject: Re: Is password good enough?
| In-Reply-To: <199604032134.AA092837277@hpcc117.corp.hp.com>
|
| Of course, if you have many users with shell access .htaccess isn't
| acceptable for the simple fact that users can look at the .htpasswd file
| for the legal usernames. Hence the "rule" never use UNIX system account
| usernames and passwords for ".htaccess"-type authentication.
Also, if you have many users with shell access they can probably look
directly (bypassing HTTP) at whatever files you're protecting with
password access. (Assuming you run your web server as "nobody" or some
other low-privileged pseudouser.) So password access control may be of
limited usefulness within an organization, at least in an environment
where many people have accounts on your server box.
-- Prentiss Riddle ("aprendiz de todo, maestro de nada") riddle@rice.edu
-- RiceInfo Administrator, Rice University / http://is.rice.edu/~riddle
-- Home office: 2002-A Guadalupe St. #285, Austin, TX 78705 / 512-323-0708
