CGI question: safe passwords possible?
Peter Hansen
peter at engcorp.com
Mon Jun 2 10:17:45 EDT 2003
Paul Rubin wrote:
>
> Peter Hansen <peter at engcorp.com> writes:
> > Ah, a nice solution, I would say. If the password is actually compromised,
> > requiring the user to contact the adminstrator to "reset" their password,
> > or asking the server to generate a new password which is sent via email,
> > would be reasonably acceptable approaches.
>
> If the opponent is intercepting web traffic they're probably also
> intercepting email. It's sort of possible to implement low-exponent
> RSA encryption in Javascript if you're crazy enough. The user could
> choose a new password and send it to the server that way.
>
> It's all silly though, SSL is definitely the way to do this. Any
> application with serious enough security requirements to worry about
> passwords getting intercepted from IP traffic needs to choose good
> hosting providers, and those usually offer SSL.
I'd definitely agree with that!
More information about the Python-list
mailing list