-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, Apr 04, 2004 at 03:15:28PM -0700, Victor Odhner wrote:
> Vic Odhner agrees with Alex:
> PLEASE don't have your system logon passwords
> entered in the clear via HTTP.  If you're using
> SSL, that's a little better, but still bad.
> 
> The bottom line with security is that it is
> in direct opposition to productivity and
> convenience.  You have to compromise security
> to some degree to get anything done.  But sending
> passwords out in the clear is an absolute no-no,
> and using the same password for multiple things
> is -- frankly -- lazy and risky.  (Of course there
> are real "single sign-on" systems, using Kerberos
> and LDAP, etc., but you really need to do your
> homework when setting up that type of thing.)
> 
> Vic

Yes, I realize these implications.  Right now this server is simply an
inside deal running on an internal network and a lot of the work on
here is merely accademic so am trying to learn the basics of Apache
administration.  I have lots to learn.  I can see why most web sites
that require authentication do SSL plus they do their own custom ID /
password dialogs with basic authentication.  I read just the other day
how basic realm auth works and I also agree with the scariness of
having password info sent in the clear like that.  I figured for
internal local use that using the same password that is used for
machine login would suffice around here and why my original
questions:).

- -- 
HolmesGrown Solutions
The best solutions for the best price!
http://ld.net/?holmesgrown
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAcK0wWSjv55S0LfERApw1AJ9Z4VjYf1BR+835VeAdlcjMuQ5RZQCfZgrJ
D3z9hSd1FCqvlj3pgkroN34=
=opdw
-----END PGP SIGNATURE-----
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change  you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss