How safe is password protecting folder/directories?

Forum Moderators: phranque

Message Too Old, No Replies

How safe is password protecting folder/directories?

georgiek50

8:01 am on Mar 24, 2004 (gmt 0)

I have all my admin scripts for posting content in a folder and have it password protected with the standard cPanel password protection option. My question is, without buying an SSL certificate is there a way to make this secure, is it secure as it is, and what are my alternatives?

ukgimp

8:12 am on Mar 24, 2004 (gmt 0)

Do the usual

Dont use stupid passwords that could be guessed. I am not jkinig when I say I have seen "letmein", and username pwd cobos of Admin Admin.

Use letters numbers and symbols, keep them complex and tell no one.

Is your host on apache, if so htaccess is your pal.

georgiek50

8:36 am on Mar 24, 2004 (gmt 0)

Yes, both my username and pwd are quite complex (I write them down in my notebook to remember them!) and I am using Apache/.htaccess...so this is safe against packet sniffing? Do they get encrypted as they process?

DoppyNL

8:46 am on Mar 24, 2004 (gmt 0)

>> I write them down in my notebook to remember them!
Then they are TOO COMPLEX, make them a **little** simpler so you can remember them.
Writing them down is waiting for disaster to happen!

Good suggestion to create a hard to guess password is to make a sentence and use the first letters from that sentence.

"This is my first new password and it's difficult"

Then you can convert that to:

"tiM1nP&id"

put in some capital characters and stuff like that.
Remember the sentence, and you should be able to create the password again :)
easyer to remember a sentence then a password :D

I haven't got experience with technical security, so I can't tell you a thing about if that folder is secure for packet sniffing....

ara818

9:35 am on Apr 3, 2004 (gmt 0)

Using web authentication (of any standard form) with no SSL, you are vulnerable to a man-in-the-middle attack. IOW, if someone can monitor traffic anywhere between you and your server, they can grab your username and password. It really does not matter how hard to guess your password is (this just protects you from the most trivial of attacks and not the real crackers).

Note though that if you intend to use SSL only as a form of admin login you do not need to buy a certificate! OpenSSL (and other SSL libraries I assume) can generate a certificate that you can use. The only catch is that you will get one of those "This certificate is unauthorizised, unverified blah blah blah" messages when you access your admin pages. Which of course is not a problem when you are the one who generated the certificat e in the first place!

Hope this helps!

georgiek50

4:51 pm on Apr 3, 2004 (gmt 0)

That's great, thanks for the tip. I will look into openSSL.