On Tue, 4 Jan 2000, Brian Lloyd wrote:
I don't believe that the username:password part of the url ever actually go out on the wire - my understanding of this is that IE (or other browsers that support this construct) just accept this as a convenient shorthand and that they remove the username/pw and send it in a header as usual...
As far as cracking tools, I can't imagine how this would have any impact one way or the other - it's really just a client convenience.
I guess it just seems easy to imagine a cracking tool like John the Ripper that would start trying to guess passwords using the http://user:password@site.com/ than messing around with headers in the http packets. But I'm not a programmer. I may very well be overestimating the risk. -Tim -- Timothy Wilson | "The faster you | Check out: Henry Sibley H.S. | go, the shorter | http://slashdot.org/ W. St. Paul, MN, USA | you are." | http://linux.com/ wilson@visi.com | -Einstein | http://www.mn-linux.org/