[4214] in WWW Security List Archive
adduser web page
daemon@ATHENA.MIT.EDU (nella@asis.com)
Thu Jan 30 19:25:08 1997
From: nella@asis.com
Date: Thu, 30 Jan 1997 11:11:31 -0800 (PST)
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Thank you all for your many helpful suggestions to me on allowing users to
change their passwords via a web page. We are currently investigating
several of them for implementation.
BTW, I am not offended by the suggestion that I don't know enough to
evaluate this situation thoroughly. It's true. But thanks to you all, much
light has been shed. I inherited the job of tending a small rural ISP
without enough knowledge for the job. Many of the passwords had been
cracked. Getting unsophisticated users to telnet in and change their
passwords has been impossible, so I've been looking for a way to make this
process accessible to them.
It seems as though this will be safe if the script filters for unacceptable
characters, uses file locking and a secure transaction web page, except for
the cache in the user's browser. Since this is not a corporate environment
in which people have access to each other's computers, I'm not concerned
about this.
I'm not clear on whether the secure transaction defeats web spoofing, but as
was pointed out, Netcom and several others are doing this.
Nella
