Python Scripts to logon to websites

Paul Rubin http
Thu Jan 12 04:21:27 EST 2006

Steve Holden <steve at> writes:
> Underlining your point, the difference between the two is that digest
> offers *strong* authentication (i.e. is not subject to replay attacks)

As I mentioned in another post, that's really not enough, since digest
still exposes the password hash to offline dictionary attacks, which
are sure to nab some passwords if you have a lot of users being
sniffed and you don't impose severe amounts of password discipline on
them.  There's also usually no way to log out from an http
authenticated session except by completely closing the browser.  All
in all, if you have nontrivial security requirements there's not much
point in using Digest.  Use form-based authentication over SSL/TLS
instead.  Make sure that the application locks out the user account
(at least temporarily) after too many failed login attempts, something
http authentication implementations that I know of don't bother to do.

For higher security applications (e.g. extranets, admin interfaces,
etc), use client certificates on hardware tokens.

More information about the Python-list mailing list