On Dec 03, Enrico Zini wrote: > I'm root, I'm on a Debian Slink or on a Debian Potato, and I would > like to present my intranet users a web page to change their > passwords. It would be easy to do, if I just had to work with the > good old /etc/passwd database: read the old password, verify it, > encrypt the new one and change it in passwd.
How do you prevent people from cracking passwords via your web page? I'm still looking for a secure way to accept passwords via HTML - even with SSL, from what I understand the available authentication stuff isn't suitable for use with /etc/passwd. It's too easy for someone to write a brute-force password scanner that won't leave traces.
