PHPBuilder.com, the best resource for PHP tutorials, templates, PHP manuals, content management systems, scripts, classes and more.

Linux Today
Enterprise Linux Today
Apache Today
JustLinux.com
Linux Planet
PHPBuilder
All Linux Devices
Hiermenus
DatabaseJournal
Technology Jobs

IT
Developer
Internet News
Small Business
Personal Technology
International

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

Covalent Extends Apache 2.0 to Microsoft ASP.NET
ShopWorX - Support for Windows
PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1
Network Risk Assessment
Full-Featured, Java-Based Apache GUI

Partners & Affiliates

Interfacing with COM objects under Windows
Dynamic XML with PHP
Timing Script Execution
In Case You Missed It...The Week of August 8, 2005
Using Webalizer to analyze Apache logs

Re: [PHPLIB] the challenge response authentication - is it really moresecure? From: Mike Hobson (mhobson <email protected>)
Date: 11/10/99

Next message: 83082770 <email protected>: "[PHPLIB] * HOSTING AND MAILING SPECIAL !!! *"
Previous message: Alec Effrat: "[PHPLIB] Good stuff bad logging..."
In reply to: Kristian K�hntopp: "Re: [PHPLIB] the challenge response authentication - is it really more secure?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dear All,

According to my copy of IDG's "Javascript Bible" 3rd Edition,
password fields work exactly like text fields beginning
with Netscape Version 3. The password INPUT value can be
cleared after the MD5 is calculated and before the MD5
authorization is sent.

Best Regards,

Michael A. Hobson

Kristian K�hntopp wrote:
>
> Chuck Hagenbuch wrote:
> > the password gets sent back as well. The specs for an <input
> > type="password"> (according to my O'Reilly Javascript 2nd edition book)
> > pretty clearly state that the value field of a Password element is read-only
> > - meaning not only that you can't read the value, but that you can't clear
> > it either, as challenge-response auth tries to do.
>
> Sorry, but this is about the most braindead specification I have
> ever heard. Not being able to READ the password would make sense
> in an attempt to keep the password secret and would break PHPLIBs
> Challenge-Response security completely. Not being able to clear,
> i.e. WRITE, a password is about as useless as it can get.
>
> Having protected password fields and NOT providing "star-display"
> fields which are not protected at the same time is - well - kind
> of half assed. And of course protected password fields should stand
> out visually so that they can be recognized and distinguished from
> star-display fields by the user.
>
> Kristian
>
> --
> Kristian K�hntopp, NetUSE Kommunikationstechnologie GmbH
> Siemenswall, D-24107 Kiel, Germany, +49 431 386 436 00
> Using PHP3? See our web development library at
> http://phplib.netuse.de/ (We have moved! Update your bookmarks!)
> -
> PHP3 Base Library Mailing List. Send messages to <phplib <email protected>>.
> To unsubscribe, send "unsubscribe" to <phplib-request <email protected>> in
> the body, not the subject, of your message.
-
PHP3 Base Library Mailing List. Send messages to <phplib <email protected>>.
To unsubscribe, send "unsubscribe" to <phplib-request <email protected>> in
the body, not the subject, of your message.

Next message: 83082770 <email protected>: "[PHPLIB] * HOSTING AND MAILING SPECIAL !!! *"
Previous message: Alec Effrat: "[PHPLIB] Good stuff bad logging..."
In reply to: Kristian K�hntopp: "Re: [PHPLIB] the challenge response authentication - is it really more secure?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]