CGI question: safe passwords possible?

Peter Hansen peter at engcorp.com
Mon Jun 2 16:17:45 CEST 2003


Paul Rubin wrote:
> 
> Peter Hansen <peter at engcorp.com> writes:
> > Ah, a nice solution, I would say.  If the password is actually compromised,
> > requiring the user to contact the adminstrator to "reset" their password,
> > or asking the server to generate a new password which is sent via email,
> > would be reasonably acceptable approaches.
> 
> If the opponent is intercepting web traffic they're probably also
> intercepting email.  It's sort of possible to implement low-exponent
> RSA encryption in Javascript if you're crazy enough.  The user could
> choose a new password and send it to the server that way.
> 
> It's all silly though, SSL is definitely the way to do this.  Any
> application with serious enough security requirements to worry about
> passwords getting intercepted from IP traffic needs to choose good
> hosting providers, and those usually offer SSL.

I'd definitely agree with that!




More information about the Python-list mailing list