Re: Intacct.com: Multiple bugs at financial services company

[Aaron Bentley <abentley () PANORAMICFEEDBACK COM>]

On Wed, 6 Sep 2000, Chris L. Mason wrote:

> I think there's a solution to this "problem" that is far too often
> overlooked.  More sites simply need to start using HTTP Basic
> Access Authentication.  This is the mechanism that causes those a "pop-up"
> box to appear where the user must enter their username and password.

Hi,
We use Basic Authenication on our site.  Here's some extra comments:

1. If you ask it to, Internet Explorer will cache the password indefinitely

2. The username is cached.  It's very tricky to allow users to change their
username without restarting their browser

3. Proxy servers can interfere with http authetication.  When your web site
doesn't work, they'll blame you, not themselves.

4. It's harder to detect dictionary attacks on your web site, since http auth
is usually handled at the server level, not the CGI level.

Aaron

Aaron Bentley
Manager of Information Technology
PanoMetrics, Inc.