Help with website password protection... please

[chazdraves]

I am nearing completion of my new website and want a "members-only" section available on the site. I considered using .htaccess & .htpasswd files to protect this area, but rumor has it that these files are fairly easy to hack, and that's the last thing I need. Can anyone suggest another solution? Security is definitely an issue. Thanks

- Chaz

 

[hevnsnt]

*nix or win webserver?

 

[chazdraves]

Just a second and I'll check

 

[chazdraves]

I don't actually run the server, it's through a company called "doteasy.com". For some reason I can't seem to find which type of server it is that they use. It seems as though I remember reading it somewhere, but I can't really remember that either. Is there any quick way to check? Thanks

- Chaz

 

[guyver01]

here's a simple javascript for passwords

<!-- Begin
function LogIn(){
loggedin=false;
username="";
password="";
username=prompt("Username:","");
username=username.toLowerCase();
password=prompt("Password:","");
password=password.toLowerCase();
if (username=="guest" && password=="login") {
loggedin=true;
window.location="home-page.html";
}
if (username=="guest2" && password=="login2") {
loggedin=true;
window.location="home-page2.html";
}
if (loggedin==false) {
alert("Invalid login!");
}
}
// End -->
</SCRIPT>

 

[chazdraves]

Thanks for the script. Do you store all the usernames and passwords under the *if(username=="guest2"* thing, or do you have to make some form of database to use it? Also, wouldn't that be easy to hack? Thanks again!

- Chaz

 

[guyver01]

It actually stores the unsername and password as you see it... for better protection.. try this one:

http://javascript.internet.com/passwords/password-pro-in.html#source

This script uses a different approach to Password Protection. It uses the password as the actual destination webpage, but it uses an encryption method that encrypts and checks the password. So if you fail to enter it correct after 3 times you go to a specific page (specified by the webmaster) and you don't get the annoying 404 page not found message as in other scripts.

 

[hevnsnt]

don't use that.. that is the easiest way to allow newbie hackers in.. javascript is not the way.. I am a big fan of protecting the dir, not the contents.

 

[chazdraves]

So, what would you recommend then?

- Chaz

 

[starwarsdad]

Here you go:

Text

Steve Gibson is my hero!

 

[chazdraves]

Excellent, thanks. Okay, my server is:

Server: Apache/1.3.26 (Unix) mod_perl/1.26 mod_throttle/2.11 PHP/4.1.0 FrontPage/4.0.4.3

If that still helps...

- Chaz

 

[chazdraves]

By the way hevnsnt, project I-MAME looks very cool. I just checked it out, good luck on that! Did you have a better idea for security?

- Chaz