Secure password transfer

Results 1 to 4 of 4

Thread: Secure password transfer

  1. #1
    Join Date
    Dec 1969

    Default Secure password transfer

    I&#039m searching for a way to transfer passwords securely from client to server, where SSL and similar are not feasible (or available). Currently I&#039m using NT challenge/response like this:<BR>&#039Force NT login<BR>If Request("LOGON_USER") = "" Then<BR> Response.status = "401 Unauthorized"<BR>Else <BR> AuthUsers = "nc009"<BR> AuthOK = 0<BR> for each user in (split(AuthUsers, ","))<BR> if Request.ServerVariables("LOGON_USER") = "k12sd1\" & user then AuthOK = 1<BR> next<BR><BR>If AuthOK = 1 then<BR> &#039display page<BR>Else<BR> &#039access denied<BR>end if<BR><BR>-------<BR>the problem is that the passwords are sent unencrypted.<BR><BR>Anyone have a solution?<BR>

  2. #2
    Join Date
    Dec 1969

    Default RE: Secure password transfer

    If the password is being sent cleartext then you&#039re not using NT authetication - your using basic authentication. Under NTLM the actual password is never sent across the network - the SAM generates a challenge based on the password and the client generates a response based on the password supplied, so at no point is the actual password passed to any 3rd party (like IIS). The really clever bit is that the challenge is different every time.<BR><BR>Check the authetication methods enabled on the "Directory Security" tab of the IIS properties. The only problem with NTLM is that it&#039s only supported by IE.<BR><BR>Dunc

  3. #3
    Bill J Guest

    Default RE: Secure password transfer

    there are ways to grab the password of the user off the NT domain, but doing so requires componets(sp?) now if you are worried about password interception you can always try to encrypt the password yourself and then have the server decrypt the password, main site tells you how to do this using RC4(like), which dpending on the nature of the machine trying to crack it might take an couple hours max. OR using the code for RC4(like) you can write you&#039re own form of encryption.

  4. #4
    Markkk Guest

    Default RE: Secure password transfer

    I don&#039t fully understand your problem....<BR><BR>When NT Challange/Response Authentication is used, user Passwords are never sent to the server, only the Password hash! <BR><BR>Of course, if you use Basic Authentication, then both UserID and Password are sent unencrypted to the server (a potential security issue).<BR><BR>Are you sure that you are using NT Challenge/Response, or perhaps are you using Basic Authentication?<BR><BR>If you want to avoid sending unencrypted passwords accross NT networks, stick to using MSIE browsers (stay away from Netscape browsers that dont support NT Challenge/Response authentication).<BR><BR>I hope this helps.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts