Forum archive 2000-2006

Andrew L Vogel - Security on password change

Andrew L Vogel - Security on password change

by Arnold Pizer -
Number of replies: 0
inactiveTopicSecurity on password change topic started 9/6/2001; 1:12:34 PM
last post 9/10/2001; 12:18:17 PM
userAndrew L Vogel - Security on password change  blueArrow
9/6/2001; 1:12:34 PM (reads: 1905, responses: 6)
Is there any built into webwork? Netscape has always complained to me but I just say ignore the warning.

A new faculty member asked me this question and I don't know the answer.

Andy Vogel

<| Post or View Comments |>


userArnold K. Pizer - Re: Security on password change  blueArrow
9/6/2001; 2:12:20 PM (reads: 2200, responses: 0)
There is no built in security when passwords are sent over the net (within the WeBWorK database, passwords are encrypted). Also passwords are sent only at login (see below). Probably the best and easiest thing to do if you want a secure installation is to run WeBWorK under a secure server (e.g. apache with mod_ssl). Ohio State is the only place I know that is currently doing this (see https://webwork.math.ohio-state.edu/).

Note that after the login, a WeBWorK "connection" is maintained by passing back and forth a "key" (not the passsword), e.g.

K5^T9bjX**D^SooNoy*KDHNaSkBqFiFp1qLmybtb
If someone grabs this "key", they could steal your session. This is unlikely but possible. These "keys" timeout after a certain period of inactivity, the default being 30 minutes. The logout command kills the key immediately. Up to this point, we have not had any reports of any breakins to any WeBWorK installations. The greatest risk might be someone "guessing" a professor's password and a secure server will not help in that case.

<| Post or View Comments |>


userAndy Wildenberg - Re: Security on password change  blueArrow
9/6/2001; 2:48:58 PM (reads: 2196, responses: 0)
One question I've had for a while is whether the password database is encrypted 1-way or 2-way (i.e. is it possible for you to tell students their passwords, or can you only replace them). What algorithm is used. I'm interested in sharing password information with another product that I use for my course.

<| Post or View Comments |>


userArnold K. Pizer - Re: Security on password change  blueArrow
9/6/2001; 3:19:09 PM (reads: 2178, responses: 0)
You can only replace a student's password. You can not find out what a student's password is. The code which authenicates passwords (and creates new ones) is in Auth.pm and uses Perl's crypt function.

<| Post or View Comments |>


userGavin LaRose - Re: Security on password change  blueArrow
9/6/2001; 5:09:29 PM (reads: 2146, responses: 0)
I just spent a good percentage of today hacking things so that the authentication transactions (that is, the scripts login.pl and change-password.pl) run through the secure port of our new server (apache 1.3.20 + mod_ssl) while the remainder of the webwork cgi processing goes through the (presumably speedier) non-SSL port.

If anyone is interested I can post a summary of what I did to get this to work.

Gavin

<| Post or View Comments |>


userMark Schmitt - Re: Security on password change  blueArrow
9/8/2001; 9:28:08 AM (reads: 2174, responses: 0)
Gavin,

I for one would like to see that summary. Thanks.

Mark

<| Post or View Comments |>


userGavin LaRose - Re: Security on password change  blueArrow
9/10/2001; 12:18:17 PM (reads: 2167, responses: 0)
I have the information in a more general "install" document; I'll post the whole on a new thread.

Gavin

<| Post or View Comments |>