Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 295
  • Last Modified:

Password Dialog

I would like to display a password dialog, similar to the one displayed when you log onto Experts Exchange.  Can this be done in JavaScript.
0
dl090597
Asked:
dl090597
1 Solution
 
Christian_WenzCommented:
the one at Experts Exchange works with something called ".htaccess". A JavaScript dialog is easy to implement, but not very hack-proof.
Ask you ISP if he supports .htaccess, and if he does, I'll give you instructions how to implement this. If not, I'll give you a JS script - but again, that's not hack-proof.
0
 
tecbuilderCommented:
The reason that a JavaScript password dialog is not hack proof is that the password has to be hard coded into your HTML file or a JavaScript file.  Hence, if someone wanted to see if the password dialog was generated from JavaScript code, all they would have to do is look at the page's source code.  Inside it they can find the code that generated the password dialog box.  Where ever the code is that generated the password dialog box, so to is the password.

The trick is hoping that they don't check your page's source code.  You can do some things that would make it rather painful to check your code, like putting all the code that generated your page on 1 line, putting in bogus scripts that don't do anything except make your code more difficult to read, etc.  However the person can save your page to their hard drive and load it in an editor where they can add paragraph marks to make it more readable.  Hence finding your password.
0
 
Holger101497Commented:
There have been half a dozen discussions about this and what you can do to "hide" the password!!!! Maybe it's best to invest some points into the PAQs....

One simple yet effective technique is to "garble" the word that is entered in some way (s.th. very simple) and then set document.location=garbledword+'.html';
As long as you have an "index" or "default" file that keeps people from looking at your directory, that makes it extremely hard to find the next page without knowing a valid password and you can't find the password in the code either.
Even more effective is passing the password to a CGI-script that checks it and (maybe) generates a page. Of course most people don't have access to CGI, but I think that even less people can use .htaccess.

.htaccess is definitely the most effective way, but if you can't use it, there are several ways to make it work ok in JavaScript...
0
 
ozoCommented:
Another way to increase the hack resistance of Christian_Wenz's script,
(unless it already does this, I haven't seen it yet)
may be not to hard code the password into the script, and instead
send a different hash of it on every invocation.  This would require
a CGI on the otherside to generate a different JavaScript each time,
And you still need a good hash and a secure way of seeding it.

0
 
Christian_WenzCommented:
I was assuming that dl has no CGI access; but Holger's right, there are really some questions of the same type.
BTW, hi ozo, nice to read you again! :-)
0

Featured Post

[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now