CGI question: safe passwords possible?

Paul Rubin http
Sun Jun 1 00:24:44 CEST 2003


hwlgw at hotmail.com (Will Stuyvesant) writes:
> I am building a prototype for an application.  For this
> I would very much like to do CGI programming with
> Python.  I already have most of it figured out, with
> Python and CGI, in a nice way, independent of host or
> operating system etc.  But the customer insists on
> "security".  They are not too tech-savvy about
> security, even less than I am.  So I could just try to
> sell them something that is not secure at all, like the
> prototype I have now using HTML forms with "user" and
> "password" fields. ....

The way to secure what you're doing is with SSL.  Do not roll your own
cryptography in Python or in any other language.  If your hosting
provider doesn't support SSL, that's fine, it's a prototype.  Tell the
customer that the prototype doesn't have SSL enabled but the real
version will have it.  Then make arrangements for SSL hosting for the
real version.

Yes you do have a problem about password distribution and what to do
if a user forgets their password.

You should read the book "Security Engineering" by Ross Anderson.
There is a heck of a lot more to security than encrypting a password.




More information about the Python-list mailing list