[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] username & pw in clear-text through SSL considered safe?

From: Bil Corry <bil@xxxxxxxxx>
Subject: Re: [WEB SECURITY] username & pw in clear-text through SSL considered safe?
Date: Mon, 16 Jun 2008 08:13:15 -0500

wilke rodriquez wrote on 6/15/2008 8:28 PM:

I recently came across a website that passed the user credentials through the http header in clear-text but via https. Is this practice considered secure?


Secure as compared to what?  It's not less secure than passing the username and password as clear text via a form POST over HTTPS, which is how my bank, mortgage company, credit card companies, etc have me log into their sites.  Not saying that's ideal, but that is the security they're using.

Would this also show that the passwords are being stored in clear-text and not encrypted with a salt value in the db?


No.  It could be the site stores the passwords using some hash function, and upon attempting to log in, the system hashes the submitted password and compares that to the stored hash.

It seems to be there are a few more secure options when dealing with authentication what do you all suggest as the best for a low user (less than 10) system? The system does need added security due to the contents.


If you have 10 known users, then don't make the webapp accessible to the Internet, instead make it only accessible on your local network to a specific range of IP addresses.  Then have the users access your local network via VPN, give them each a unique IP address within the allowed range, and only allow the specific user to log in from their specific IP address (that prevents UserB from attempting to log in as UserA from UserB's VPN connection).  And of course, you can use Digest Authentication or an alternative if you want to avoid clear text passwords:

	<http://en.wikipedia.org/wiki/Digest_access_authentication>


- Bil

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

Follow-Ups:
- Re: [WEB SECURITY] username & pw in clear-text through SSL considered safe?
  - From: Licky Lindsay
- Re: [WEB SECURITY] username & pw in clear-text through SSL considered safe?
  - From: Mike Fratto

References:
- [WEB SECURITY] username & pw in clear-text through SSL considered safe?
  - From: wilke rodriquez

Prev by Date: Re: [WEB SECURITY] username & pw in clear-text through SSL considered safe?
Next by Date: Re: [WEB SECURITY] username & pw in clear-text through SSL considered safe?
Previous by thread: RE: [WEB SECURITY] username & pw in clear-text through SSL considered safe?
Next by thread: Re: [WEB SECURITY] username & pw in clear-text through SSL considered safe?
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site