Re: WebTFM

Bradley Hughes (brad@nospam.arrakis.com.au)
Thu, 18 Jan 1996 15:44:35 +1100

Dennis said:
>You _COULD_ use the same user names and passwords members to do log in...
>except that the password file format used by NCSA httpd (our web server
>software) does not _EXACTLY_ match the same format as /etc/passwd
>(its close tho).

I hadn't actually considered using the actual /etc/passwd passwords for
users. My idea was that each user would specify a password in a fill-out
form when registering for access to the restricted part of the Web. Dennis
is right though, it's inherently no more insecure to use actual account
passwords.

The only difference lies in the possible consequences of password
interception. If someone finds out your password for accessing restricted
web pages it's not really a huge problem. If someone finds out your shell
account password that could well have more serious ramifications. But
since, as Dennis says, passwords are normally sent unencrypted when
establishing a telnet session anyway, why not use users' shell account
passwords? That would make things a lot easier to manage on the server
side. There would be no need to handle registrations at all.

later,

Brad.

---
Bradley Hughes, Webmaster      brad@nospam.arrakis.com.au
Arrakis Internet Services      http://www.arrakis.com.au/
Ph: + 61 2 310 7500            Without action, ideas are nothing.
-----------------------------------------------------------------
'Filthy Art:  Graffiti, Grunge and the Net' can be found at:
http://www.arrakis.com.au/content/magazine/brereton/graffiti/