is no built in security when passwords are sent over the net (within
the WeBWorK database, passwords are encrypted). Also passwords are sent
only at login (see below). Probably the best and easiest thing to do if
you want a secure installation is to run WeBWorK under a secure server
(e.g. apache with mod_ssl). Ohio State is the only place I know that is
currently doing this (see https://webwork.math.ohio-state.edu/).
Note that after the login, a WeBWorK "connection" is maintained by passing back and forth a "key" (not the passsword), e.g.
If someone grabs this "key", they could steal your session. This is
unlikely but possible. These "keys" timeout after a certain period of
inactivity, the default being 30 minutes. The logout command kills the
key immediately. Up to this point, we have not had any reports of any
breakins to any WeBWorK installations. The greatest risk might be
someone "guessing" a professor's password and a secure server will not
help in that case.
<| Post or View Comments |>