CGI question: safe passwords possible?

[Paul Rubin]

Peter Hansen <peter at engcorp.com> writes:
> Ah, a nice solution, I would say.  If the password is actually compromised,
> requiring the user to contact the adminstrator to "reset" their password,
> or asking the server to generate a new password which is sent via email,
> would be reasonably acceptable approaches.

If the opponent is intercepting web traffic they're probably also
intercepting email.  It's sort of possible to implement low-exponent
RSA encryption in Javascript if you're crazy enough.  The user could
choose a new password and send it to the server that way.

It's all silly though, SSL is definitely the way to do this.  Any
application with serious enough security requirements to worry about
passwords getting intercepted from IP traffic needs to choose good
hosting providers, and those usually offer SSL.