[WEB SECURITY] Password-less login ?

Rohit Pitke rohirp92 at yahoo.com
Fri Feb 1 14:41:48 EST 2013


People often do confuse whether URI is encrypted when HTTPS is used. It is indeed and as phil mentioned, only domain name and a bit other network information is logged on transparent proxies. T
Though password less login is great idea, it has some practical disadvantages like remembering very long URL with token, expiry of those tokens. It might work in some small set-up of enterprise level web app but difficult to scale in multi-user applications.

-Rohit 


________________________________
 From: BSDwiz <bsdwiz at gmail.com>
To: Glenn Pierce <glennpierce at gmail.com> 
Cc: "websecurity at lists.webappsec.org" <websecurity at lists.webappsec.org> 
Sent: Monday, January 28, 2013 4:23 PM
Subject: Re: [WEB SECURITY] Password-less login ?
 

yep, after the domain name its all encrypted via http(s). but it would still be in the clear in the web server logs.

-phil
On Jan 28, 2013, at 3:07 PM, Glenn Pierce <glennpierce at gmail.com> wrote:


Thanks for the good ideas everyone. I have a few things to think about.
>
>
>When accessing through https what will upstream proxies log ? Just the encrypted url right ?
>
>
>
>On 28 January 2013 09:13, Glenn Pierce <glennpierce at gmail.com> wrote:
>
>Hi I like to have opinions on the security of logging into a website
>>with just a uid 
>>ie
>>
>>
>>https://someserver.com/login/a4337bc45a8fc544c03f52dc550cd6e1e87021bc896588bd79e901e2
>>
>>
>>I have inherited a system that provides a login for tablets which login in this manner.
>>(It needs an automated login for the tablets)
>>Obviously the url in required to be encrypted by always requiring https.
>>
>>
>>
>>
>>We often provide one time tokens like this when someone has forgotten their password.
>>But why not allow this to be a permanent login ?
>>
>>
>>Why is requiring a uid like above worst than a username,password ?  
>>I believe I am missing something stupid as you would see more of this kind of thing.
>>That makes be nervous.
>>
>>
>>Thanks for any feedback.
>
_______________________________________________
>The Web Security Mailing List
>
>WebSecurity RSS Feed
>http://www.webappsec.org/rss/websecurity.rss
>
>Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>WASC on Twitter
>http://twitter.com/wascupdates
>
>websecurity at lists.webappsec.org
>http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity at lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20130201/6c3fe589/attachment.html>


More information about the websecurity mailing list