Passwords in clear [2]

From: Penisoara Adrian <[email protected]>
Date: Thu, 10 Jul 1997 11:02:45 +0300 (EEST)

  Hi !

  Regarding the "URL coding: ftp passwords in clear" thread; there is
something more to be said.
  The passwords are shown in clear also in the "Filedescriptor Usage"
section of the cachemgr.cgi script ! And this one was personally verified
by me on one of the nlanr.net hosts...
  Also be aware that http requests with 'password clear URLs' (like
http://user@pass:host/) are also displayed in clear text...
  One good solution for this, if found annoying, is to either strip or
modify the in text password, like wget does:
     'ftp://u@p:host/' becomes 'ftp://u@xxxxxxxx:host/'
  So we get both side benefits: the users are secured from hacker attacks
and the admin's have their 'warez' proofs [should there be an squid.conf
option to make logs store the passwords in clear text ?].

  Hope this will help rather then inflame ya ... :)

  Ady (@warp.starnets.ro)
Received on Thu Jul 10 1997 - 01:09:11 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:35:43 MST