Hi All I just made a site using Drupal6.2 and in front page I have kept "user login" block. I hosted this site using some third party web server.
I tried to login to new site from my PC using my user name and password and prior to that I was capturing the packets those were being send/received by my PC. By checking few packets content I could figure out the user name and password in plain text.
So it looks others can see these packets and get the administrative user name and corresponding password and hence can modify site content and it is really dangerous. I assume people must have thought of it and there should be some way to make sure username and password should be encrypted by default hence avoidimg third party role in site content modification.
Please guide in this regard and provide some pointers how can I make username/password secure while logging in sites based on Drupal.
Regards Austin
Op zondag 09 januari 2011 09:36:06 schreef Austin Einter:
Please guide in this regard and provide some pointers how can I make username/password secure while logging in sites based on Drupal.
http://drupal.org/project/securelogin
You may also want to look at http://drupal.org/project/securepages On Jan 9, 2011 1:36 AM, "Austin Einter" austin.einter@gmail.com wrote:
Hi All I just made a site using Drupal6.2 and in front page I have kept "user login" block. I hosted this site using some third party web server.
I tried to login to new site from my PC using my user name and password
and
prior to that I was capturing the packets those were being send/received
by
my PC. By checking few packets content I could figure out the user name and password in plain text.
So it looks others can see these packets and get the administrative user name and corresponding password and hence can modify site content and it
is
really dangerous. I assume people must have thought of it and there should be some way to
make
sure username and password should be encrypted by default hence avoidimg third party role in site content modification.
Please guide in this regard and provide some pointers how can I make username/password secure while logging in sites based on Drupal.
Regards Austin
Hello Austin,
On Sun, 2011-01-09 at 14:06 +0530, Austin Einter wrote:
By checking few packets content I could figure out the user name and password in plain text.
This is an issue with *any* web application that connects over http. If this is a concern you should set up your webserver to use SSL (https) for such connections.
That said, personally I feel users choosing poor passwords is a much greater concern than someone being able to sniff those passwords on the internet. For the average bad guy sniffing traffic on the internet requires much more effort than running a script that brute forces (weak) passwords.
You might want to look into the User Protect module. You can use this module to block users from changing their passwords.
Regards, Leonard.
Thanks everybody for providing such wonderful suggestions on security aspect. Summary of various suggestions provided by Drupal experts -
1. SSL can be used for login page 2. Use secure login and secure pages modules (mixed https-http mode) 3. Use Securepages Prevent Hijackmodule. 4. Use 443 session module 5. Use HTTPS for a session after login 6. Just Make All Drupal Pages SSL 7. Configure web server to use SSL for all pages
In fact, http://crackingdrupal.com/blog/greggles/drupal-and-ssl-multiple-recipes-poss... very much usefull as it presents bit insight to code and experience of users who tried to implement security for their sites.
Now I will need to look at security for my site from a different perspective. As of now I hope my security design should follow below approach.
1. I should have two different roles say "Normal Users" and "Special Users". 2. I will allow "Normal Users" to create and manage their account and by using secure login and secure pages I will provide security to some extent. 3. For "Special Users", each and every page they access need to be secure.
So I am looking at role based security. Has anybody followed this approach, if so can you guide how to acheive it. Best Regards Austin
On Mon, Jan 10, 2011 at 4:31 AM, Leonard den Ottolander.nl < drupal@den.ottolander.nl> wrote:
Hello Austin,
On Sun, 2011-01-09 at 14:06 +0530, Austin Einter wrote:
By checking few packets content I could figure out the user name and password in plain text.
This is an issue with *any* web application that connects over http. If this is a concern you should set up your webserver to use SSL (https) for such connections.
That said, personally I feel users choosing poor passwords is a much greater concern than someone being able to sniff those passwords on the internet. For the average bad guy sniffing traffic on the internet requires much more effort than running a script that brute forces (weak) passwords.
You might want to look into the User Protect module. You can use this module to block users from changing their passwords.
Regards, Leonard.
-- mount -t life -o ro /dev/dna /genetic/research
-- [ Drupal support list | http://lists.drupal.org/ ]
-
Austin Einter -
Leonard den Ottolander.nl -
Richard -
Steve Kessler