Re: Stronger password based HTTP client authentication?
From: TutaePaki (tutaepaki@paradise.WHAT.net.nz)Date: 05/02/02
- Next message: Bill Unruh: "Re: blocking of downloading or printing of pictures on a website"
- Previous message: EveryThingYouDoIsABalloon: "RASGetEntryDialParams()"
- In reply to: Zoltan Glozik: "Stronger password based HTTP client authentication?"
- Next in thread: Zoltan Glozik: "Re: Stronger password based HTTP client authentication?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "TutaePaki" <tutaepaki@paradise.WHAT.net.nz> Date: Fri, 3 May 2002 09:55:53 +1200
"Zoltan Glozik" <zglozik@s_t_o_n_e_s.com> wrote in message
news:aaqutu$8al$1@kermit.esat.net...
> Hi All,
>
> As I understand the biggest drawback of using Basic Password
authentication
> over SSL is that dictionary attacks are possible. There is nothing that
> prevents the client from trying common passwords as many times as it
wants.
>
> Is there a solution for any of the available web servers (preferably for
> Apache) that locks a user account after a certain number of password
> failures for a few minutes/hours/forever? If there was an Apache module
that
> implements this feature would this kind of client authentication with
strong
> password policy be much more secure? Or do I miss the point and that would
> not help at all...
>
> Thanks for any pointers,
> Zoltan
>
>
>
I guess you could troll your error logs and disable a user which had
repeated
failures?
- Next message: Bill Unruh: "Re: blocking of downloading or printing of pictures on a website"
- Previous message: EveryThingYouDoIsABalloon: "RASGetEntryDialParams()"
- In reply to: Zoltan Glozik: "Stronger password based HTTP client authentication?"
- Next in thread: Zoltan Glozik: "Re: Stronger password based HTTP client authentication?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
