You could use a multiteir password setup like grouping people into a say data admin,use,manager etc. Once they are past the first level you can auth users names. This way you have to go though 2 levels of passwords to get to anything good. Just a thought. Timothy Wilson wrote:
On Tue, 4 Jan 2000, Brian Lloyd wrote:
I don't believe that the username:password part of the url ever actually go out on the wire - my understanding of this is that IE (or other browsers that support this construct) just accept this as a convenient shorthand and that they remove the username/pw and send it in a header as usual...
As far as cracking tools, I can't imagine how this would have any impact one way or the other - it's really just a client convenience.
I guess it just seems easy to imagine a cracking tool like John the Ripper that would start trying to guess passwords using the
http://user:password@site.com/
than messing around with headers in the http packets. But I'm not a programmer. I may very well be overestimating the risk.
-Tim
-- Timothy Wilson | "The faster you | Check out: Henry Sibley H.S. | go, the shorter | http://slashdot.org/ W. St. Paul, MN, USA | you are." | http://linux.com/ wilson@visi.com | -Einstein | http://www.mn-linux.org/
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
-- "Those who do not understand Unix are condemned to reinvent it, poorly." -- Henry Spencer "For every complex problem there is an answer that is clear, simple, and wrong." -- H L Mencken "If you have a good sig, I might use it." -- Ozric Under US Code Title 47, Sec.227(b)(1)(C), Sec.227(a)(2)(B) This email address may not be added to any commercial mail list with out my permission. Violation of my privacy with advertising or SPAM will result in a suit for a MINIMUM of $500 damage per incident.