Forum OpenACS Q&A: Re: Password in ClearText

10: Re: Password in ClearText (response to 7)
Posted by Lars Pind on
Yes, we now default to login pages over SSL, when SSL is installed.
Posted by Jeff Davis on
Keep in mind that if you want to have passwords which are not sent in plaintext and don't want to use ssl you will have to have some javascript to do it, which would mean people with javascript turned off would not be able to log in to your site (well at least as far as I can see).

Or we could use digest authentication as mentioned (and I think we should probably provide that as an option since it has some value -- one particularly useful way to use it is to password protect an entire dev site rather than count on the openacs authentication working in dev) but it does mean that the browser will then be responsible for popping up its standard password window. Digest authentication protects passwords but provides very little in the way of security beyond that (although if we issue more restrictive nonce's that is not strictly true). Also I think there are also browser support issues for digest authentication (ns4 doesn't do it iirc)...

I think the javascript hashing of the password is a waste and digest authentication has some value but it's not without some real drawbacks too.