[3472] in WWW Security List Archive
Re: Password protected HTML
daemon@ATHENA.MIT.EDU (Ole Craig)
Wed Nov 6 11:44:05 1996
From: Ole Craig <olc@cs.umass.edu>
To: bc17684@90.deere.com (Bert Carroll)
Date: Wed, 6 Nov 1996 09:11:11 -0500 (EST)
Cc: www-security@ns2.rutgers.edu
In-Reply-To: <327FA278.5520@90.deere.com> from "Bert Carroll" at Nov 5, 96 02:24:24 pm
Errors-To: owner-www-security@ns2.rutgers.edu
Bert Carroll vociferated:
> From owner-www-security@ns2.rutgers.edu Wed Nov 6 07:10:42 1996
> To: www-security@ns2.rutgers.edu
> Subject: Password protected HTML
>
> I want to use the password file that comes with Solaris rather than the
> standard one used by Netscape and other webservers. What I am really
> after is the ability to "age" a password and / or check it against a
> dict file before allowing the user to set weak passwords.
>
> Any ideals? (Yep, I did try the Netscape Manual)
>
Forgive me if I'm being dense, but...
The passwords in the htpasswd file (or whatever you're using)
are created using crypt(), the same way the ones in /etc/passwd
are. What about a script that extracts the username/encrypted passwd
pairs from /etc/passwd and outputs them in the format htpasswd
expects? You could run it as a cron job every night to keep 'em up to
date.
(Of course, I think it's a *bad* idea to use the same password
for browser access that you use for a shell account, but if that's
what you want...)
Another idea, depending on how you let your users set their
passwords, would be to hack the ANLpasswd routines to access/output an
htpasswd file rather than /etc/passwd. That doesn't address the ageing
issue, but does force the choice of passwords that aren't as
vulnerable to dictionary cracking.
-Ole ("Scar") SI NON CONFECTVS NON REFICIAT
Systems analysis: The process of finding precisely the right wrench
with which to pound the correct screw. (anon)
---------------------------------------------------------------------
Ole Craig * olc@cs.umass.edu * (413)545-4294 voice, (413)545-1249 fax
CS Computing Facility * University of Massachusetts
<http://www.cs.umass.edu/~olc/> for public key (or use finger)
