CGI question: safe passwords possible?

Sat May 31 04:12:20 EDT 2003

hwlgw at hotmail.com (Will Stuyvesant) writes:
> - Authenticate?  HTTP Digest?

Authenticate means prove your identity to something.  HTTP specifies
two authentication methods, Basic and Digest.  Basic means the password
is sent in the clear.  Digest means the password is salted and hashed,
though it's still subject to dictionary attacks.  More importantly, an
awful lot of browsers only support Basic authentication and not Digest.

Also, HTTP authentication doesn't provide a lot of fancy features,
because if you want to do something more complicated, you can ask for
a password in your web form and let your cgi do its own
authentication.  For example, you might program your cgi to lock the
user's account if s/he enters a wrong password three times in a row or
something like that.  HTTP servers normally won't do anything that
complicated with HTTP authentication.

> To authenticate means something like identify?  So the server knows it
> is *the* user and not somebody else?  I have only a vague notion of
> this.

Yes, for example the user authenticates him/herself by entering a password.

> Indeed I am on a hosted environment, so SSL is no option, as far as I
> understand...

Check with the hosting provider.  A lot of them offer SSL these days.
Don't assume SSL isn't an option unless the provider tells you it isn't.
And if your provider doesn't offer SSL, maybe you can switch providers
to one that does.

> I did see "Authentication:" headers in the HTTP, could that be done
> from CGI?

Yes.

> - .htaccess?  
> I guess to "upload a simple .htaccess" is possible, just like putting
> .html files in ~/public_html or .py (CGI) files in ~/cgi-bin?  But
> what do I put in that .htaccess file?

Whether you can use HTTP authentication from a .htaccess file is again
controlled by the hosting provider.  This isn't really the newsgroup
for that kind of question, try a webmastering newsgroup.

What is the application, if you don't mind my asking?  Who do you
think might intercept the password and what will they do with it if
they get it? Having that info helps understand the security needs.