Re: how to programmatically prevent passwords being saved?
From: Winged (Winged_at_nofollow.com)
Date: Tue, 15 Nov 2005 19:53:50 -0600
Hairy One Kenobi wrote:
> "winged" <firstname.lastname@example.org> wrote in message
>>Hairy One Kenobi wrote:
>>>"CoffeeGood" <email@example.com> wrote in message
>>>If you are getting them to connect over an SSL link (and, if the data is
>>>remotely private - let alone critical - then you are) then the password
>>>not saved by default on any platform that I know of.
>>But the user "can" save passwords on at least IE, Firefox, and Netscape
>>over SSL. This paper you may find useful in solving your issue:
> Actually, I'm not convinced that applies - if the laptop was stolen (the
> example given), then the hash would be identical.
> If the OP is determined to annoy his users by stopping them from
> /deliberately/ choosing the non-default option of storing his or her
> password, then you're looking at (e.g.) implementing a banking-style letter
> selection authentication (third letter, followed by first letter, and so
> on). That way, if the thief manages to lose the post-it stuck to the laptop,
> they won't be able to log in (cynic, moi?)
> The biggest challenge would not be writing the server-side scripting, but in
> trying to ensure that an entire unencrypted list isn't stolen if the site
> gets hacked.
Secret here, don't get hacked. Ensure protected data does not live on
the web server and the communication pipes are encrypted and triggered
from the non-exposed server. Additionally ensure the data server ceases
all communications on pipe error. Better to lose the service than the