On Wed, 2006-09-20 at 13:05 -0700, frank wrote: > At the 11th hour before the new site is to go online, we are suddenly > unsure that using clear-text passwords is adequate. > > Currently the web site has a few pages that will be readable by anyone. > If someone wants to see more, or download content, they have to > establish an account. This is free, they just enter a username and > email address and django > sends them their password. Nobody is involved in setting up new > accounts. > > Some people may unthinkingly use a password for something important for > this web site, just because it's something they already remember. To > avoid the risk of a password sniffer, it would be nice to encrypt the > password in transit. > > Following the apache authentication results in a web site which is > completely > protected - there are _no_ available pages until login occurs. That > won't work. Short of setting up a second server (one for completely > open pages, the other for pages requiring authentication), is there a > reasonably straightforward way to send passwords in encrypted form?
The only truly secure way to do this is to make sure the pages submitting passwords do so over HTTPS. All solutions involving using Javascript to do client-side hashing or encrypting are vulnerable to man-in-the-middle and replay attacks. Hashing solutions like that are also vulnerable to being cracked (encrypted versions, not so much). You could redirect them to a secure log-in page or pages if you just wanted that portion to be over HTTPS and the rest over HTTP. Then only the session cookie needs to travel over HTTP and can contain the authorisation information. Regards, Malcolm --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users -~----------~----~----~----~------~----~------~--~---
