Re: Webmail authentication

From: Chris Berry (compjma@hotmail.com)
Date: 12/20/02

  • Next message: Janssen, Steph: "RE: A Solution for sniffing" 
    From: "Chris Berry" <compjma@hotmail.com>
To: security-basics@securityfocus.com
Date: Thu, 19 Dec 2002 15:57:21 -0800

    >From: "David Brown" <David.Brown@synergex.com>
    >My company is working on a webmail implementation, which requires that
    >the user authenticate to an NT domain. Regardless of the
    >authentication method, there is always an option in the login dialog
    >to 'Save this password in your password list', which seems to be
    >browser driven. I don't want my user population saving their
    >passwords to various computers all over the world. Does anyone have a
    >clue how to remove or disable this option?

    If you mean browsers on your corporate network you can disable it in
    IE\tools\options or lock it down using local security policy/active
    directory (this assumes you're using IE, don't think that will work for
    mozilla, netscape, opera, or lynx) Basically though I would not rely on
    this method even if you are using IE. I recommed that instead of allowing
    your users to type in their passwords into a javascript form box, you should
    use another authentication method. Certificates might be a good idea or you
    could create a virtual keyboard on the sign in page, and have them click on
    the buttons to enter their password. Whatever you come up with, I agree
    that having your passwords saved all over the place is a bad idea, and you
    might want to consider forcing them to use a different password for email
    than their logon password.

    Chris Berry
    compjma@hotmail.com
    Systems Administrator
    JM Associates

    "Live dangerously, overclock your servers."

    _________________________________________________________________
    STOP MORE SPAM with the new MSN 8 and get 2 months FREE*
    http://join.msn.com/?page=features/junkmail

    • Quantcast