You are here >  theory >  security

Website Passwords

Website passwords can be looked at from few different angles. Server-side authentication of websites include and is not limited to:

  • Browser authentication (dialog box) - .htaccess authentication (.htpasswd).
  • User-account authentication over inbuilt applications.
  • ftp/ssh authentication.

We have looked into how passwords go over the wire in network passwords section of Password Analytics. Website authentication is generally safer when done at server side. The reason is because, most of the client-side browser apps such as the ones created with Java Script (JS) will generally load the code at the client browser. This means that the data with which the user's values are compared are loaded at the client-side, which makes the whole password implementation insecure. Besides, the algorithm and its weakness could also be determined if the entire authentication function gets loaded at the client-side. This is mainly the reason for most authentication systems to remain at the server side.

Browser authentication is the simplest form of HTTP authentication that generally pops as a sign in box, which matches the .htpasswd entry outside the public_html. This .htpasswd file is a hidden file on the root directory of a website hosting server's user account. To enable this authentication on the selected folders where the files require authentication to view or edit, you might want to add the .htaccess permissions with the .htpasswd compare for basic HTTP authentication. Although, basic HTTP autentication is good, it is better to have a more powerful customized authentication for sensitive user applications. This could be done with inbuilt crypto implementation or password authentication fuction. .htpasswd has a custom procedure to generate and store passwords. This could be generated by any of the specific tools out there. Htpasswd-generator is one of the free tools that could be accessed from http://www.htaccesstools.com/htpasswd-generator/. The following image shows how you could enter the username and password for generating .htpasswd password.


*To zoom in - click the image*
Figure 1: .htaccess tools.


Once you enter the username and password, create on "Create .htaccess file" and you would be taken to the following page where you would get an entry of .htpasswd file. You would have to copy this line and paste it in the .htpasswd file in the hosting server's user account, to use this for basic authentication when required.


*To zoom in - click the image*
Figure 2: .htpasswd entry.


FTP and SSH logins once again are generally created at the server side. Most hosting providers do not give access to create accounts to website owners, as there are many domains in a single box or per IP. Hence, in a share space this is done by server administrators and for a dedicated server, you would have full access to set it up yoruself. FTP protocol sends user name and passwords in plain-text and SSH communication is over an encrypted channel. It is highly recommended to connect to a server over SSH, as opposed to FTP. Although, some applications that are used to edit code do not give choice to the user to alter the port or service. In such cases, SFTP is a better alternate of FTP (if provided by the app). On the other hand, some hosting providers give SSH access to users and change the port to a non-default and non-standard ephemeral port, so that even if the attackers scan for 22/TCP or some standard service ports, they might not be aware of the fact that some of these ephemeral ports could be open for specific services. Even if the attackers notice that these ephemeral ports are open, it is often non-trivial to also get the service to port mappings on non-standard ports.

EvilFingers Arsenal






























Socialize with RootkitAnalytics

Twitter Feed Blogspot

Socialize with EvilFingers

Twitter Feed Blogspot LinkedIn Delicious Google

Tweets