[Zope] browser security

ozric ozric@tampabay.rr.com
Sun, 09 Jan 2000 21:25:49 -0500


You could use a multiteir password setup like grouping people into a say
data admin,use,manager etc. Once they are past the first level you can  
auth users names.  This way you have to go though 2 levels of passwords to
get to anything good. Just a thought.

Timothy Wilson wrote:
> 
> On Tue, 4 Jan 2000, Brian Lloyd wrote:
> 
> > I don't believe that the username:password part of the url
> > ever actually go out on the wire - my understanding of this
> > is that IE (or other browsers that support this construct)
> > just accept this as a convenient shorthand and that they
> > remove the username/pw and send it in a header as usual...
> >
> > As far as cracking tools, I can't imagine how this would
> > have any impact one way or the other - it's really just
> > a client convenience.
> 
> I guess it just seems easy to imagine a cracking tool like John the Ripper
> that would start trying to guess passwords using the
> 
> http://user:password@site.com/
> 
> than messing around with headers in the http packets. But I'm not a
> programmer. I may very well be overestimating the risk.
> 
> -Tim
> 
> --
> Timothy Wilson       | "The faster you  |  Check out:
> Henry Sibley H.S.    |  go, the shorter | http://slashdot.org/
> W. St. Paul, MN, USA |  you are."       | http://linux.com/
> wilson@visi.com      |       -Einstein  | http://www.mn-linux.org/
> 
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )

-- 
"Those who do not understand Unix are condemned to reinvent it, poorly."
 -- Henry Spencer

"For every complex problem there is an answer that is clear, simple, and wrong."
-- H L Mencken

"If you have a good sig, I might use it."
-- Ozric

Under US Code Title 47, Sec.227(b)(1)(C), Sec.227(a)(2)(B) This email
address may not be added to any commercial mail list with out my
permission.  Violation of my privacy with advertising or SPAM will
result in a suit for a MINIMUM of $500 damage per incident.