Re: Basic password security question
- From: Dominick Baier <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 23 Feb 2007 16:09:36 +0000 (UTC)
Look at the pages - they (should) never post that form over HTTP - usually the login form posts to an HTTPS address....
You need SSL - and if you have it for the rest of your site, why not for you login page too?
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
Hi Joe,
I will be securing the rest of my site with ssl, however I'm referring
only to my login page. A lot of sites , including my bank have a
login page over http and once I am logged in, the remainder of the
pages are over https. How do they secure the password in that case?
"Joe Kaplan" wrote:
No. You should look at the wire traffic. That is just for the UI
displayed by the browser.
If you are doing a secure site where you will be collecting data like
passwords and potentially using cookies for authentication, you must
use SSL.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Opa" <Opa@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:5CD20844-7860-4BAB-BD57-AB0DBB43B991@xxxxxxxxxxxxxxxx
Hi all,
I was asked today if setting textmode="password" of a textbox
control
was secure over http. I assumed that the browser does encryption
before
sending it over the wire. Why aren't most login screen forms sent
over
https?
Is my assumption about the browser providing encryption on special
input
fields true? Can anyone explain?
Thanks,
Opa
.
- Prev by Date: Re: AD Login failure when using ActiveDirectoryMembershipProvider
- Next by Date: Re: AD Login failure when using ActiveDirectoryMembershipProvider
- Previous by thread: Re: Basic password security question
- Index(es):
Relevant Pages
|
