make the password generated on petr user basis offline. When they install it generates a semi random password depending on machine config, they e-mail you, you e-mail them back.
That way they never have the full picture so decryption is very diificult. Can't argue with the experts like M$.
-
Guest replied -
Guest repliedWhat silly ones?
As a matter of interest, does anyone know how easy would it be to access files protected by apache? Eg the .htaccess file.
Any file can be protected by apache by putting something like the following into the h t t p d.conf file.
<Files ~ "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</Files>Leave a comment:
-
Guest repliedTa for comments esp. silly ones. Suspect best protection against people hacking into my password list will be that nobody will be remotely interested in getting my software for free anyhow.Leave a comment:
-
Guest repliedI'd use a 20,000 bit public key infrastructure with nuclear bomb proof bunkers on every continent (and the moon) to hold the key authority databases (implemented in Excel). The keys would be hashed using crypt and all the source code would be written in Greek. The 2 SSL accelerators would be located in the Mariana Trench and up Everest. Just to make sure, I wouldn't publish the details on a bulletin board.
Edit
Oops!Leave a comment:
-
Guest repliedI think I'd keep the data in the bottom drawer of a filing cabinet in the basement behind a door with a sign saying "Beware of the Leopard".
Worked for the local council in HHGTTG.Leave a comment:
-
Guest repliedI'd use known algorithm to generate and check cryptographically strong serials. This would allow not to keep a list with serials anywhere on the site and I'd use compiled and obfuscated code to check keys. Of course if I was really paranoid I'd keep that code behind firewall elsewhere so that website would have to request/check keys via SSL with some good monitoring present to ensure no one tries to guess too many serials.Leave a comment:
-
Guest repliedRe: use john the ripper
Sorry I wasn't impying it doesn't - but I haven't tested it myself so I don't know.
I should have said: "another solution would be to ...."
Sorry again.Leave a comment:
-
Guest repliedRe: use john the ripper
might ??????Leave a comment:
-
Guest repliedRe: use john the ripper
That solution might work but I think the "standard" implementation for this would be to store the passwords in a MySQL database table, then your PHP code can retrieve and use them when the page is called.Leave a comment:
-
Guest repliedRe: use john the ripper
On apache, most common configurations disallow the viewing of any file who's name begins with .ht
So put the passwords in a file named .htpasswords and ftp it to the server. You won't be able to see it when it has been uploaded but it can be read by a cgi script.Leave a comment:
-
Guest replieduse john the ripper
Use the linux tool known as "john the ripper" to check the security of passwords. Search for "john the ripper, linux" on google.Leave a comment:
-
Guest replieduse a database
and an encrypting algorithm such as md5. quite straightforward and cheap and effective. it gives a one-way encryption of passwords. you could even use an mdb file.Leave a comment:
-
Guest repliedIt is impossible to secure any server (even Linux) against super intelligent grey squirrels.
Saying that, a text file that is secured through file permissions or a simple database (MySQL or similiar?) will do the trick.
As long as users cannot gain access to the file (i.e. download it), it should be secure enough for a noddy site.Leave a comment:
-
Guest repliedwhats the platform ?
Are we talking about apache or iis or something else ?
Ignoring whatever might be possible with the platform and just thinking application can you put the file somewhere other than under the web root and hence have it only accessible by your scripts (which of course just verify a password rather than returning it) ?Leave a comment:
-
Secure website passwords
Can somebody point me, in very general terms, towards best approach to keeping a password list secure on a website?
I want to issue purchasers with a serial number so they can download add-ins from the website. I know how to check a serial number entered is in the list using a bit of PHP but not sure how to make the list secure.
At moment it's just a text file that anyone could read. Or perhaps not if I used the right permissions? I really don't know enough server side to even know if I have a problem.
Ta for any answers.
PS Fate of the Western world sort of security not necessary, just safe from your average know a bit sort of IT bod and super intelligent grey squirrels.
Leave a comment: