[Tutor] passwords
Danny Yoo
dyoo@hkn.eecs.berkeley.edu
Mon, 11 Feb 2002 13:21:05 -0800 (PST)
On Mon, 11 Feb 2002, Remco Gerlich wrote:
> If your web server is cracked, the page with the form can be replaced
> by one which sends the form info to somewhere else, so the cracker
> receives the password info.
>
> Even if this is not possible, someone could change browser settings at
> a *user's* computer, so they get a page that looks like the change
> password page but actually sends the info to the cracker (for instance
> by configuring a proxy). This is usually very easy.
>
> Form contents may be cached on the user's computer.
A non-Python solution might involve remote access with SSH. There's a
Java ssh applet called 'Mindterm' that you can embed in your web page ---
this may be a better approach, since the applet has more control over the
information going through the network. Take a look at:
http://www.appgate.org/mindterm/
for details on Mindterm.
Hope this helps!