Posted by Jerry Stuckle on 10/16/07 02:33

David Hennessy wrote:
> Tom wrote:
>> On Sun, 14 Oct 2007 06:08:39 -0700, David Hennessy wrote...
>>> Hi! Is there any way to limit the number of retries when using HTTP
>>> authentication in PHP?
>>>
>>
>> I've seen lots of sites more to web forms instead of the usual pop-up
>> gray login
>> boxes that are normally used with HTTP authentication. IF you tried
>> using that
>> method you can probably keep track of IP address information and setup
>> restrictions after so many retries.
>
>
> That makes sense. Do you think it would be safe to say that HTTP
> authentication is insecure, since it permits infinite retries?
>

Not really. If the userid and password are sufficiently long and
random, the amount of time it will take to break them can be measured in
centuries. And if someone tries a brute force attack, you will notice
it if you're watching your logs.



--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

• Next in forum: Re: PUNCHING JERRY STUCKLE IN THE FACE
• Prev in forum: Re: PUNCHING JERRY STUCKLE IN THE FACE
• Thread view: Re: HTTP Authentication in PHP -- limit retries?

[Reply to this message]