Home > Articles

  • Print
  • + Share This
This chapter is from the book

Q&A

  1. I have a Unix system. Can I use /etc/passwd as my user database?

  1. Although it might seem convenient, it is advisable that you do not use the existing /etc/passwd file for authenticating users of your Web site. Otherwise, an attacker who gains access to a user of your Web site will also gain access to the system. Keep separate databases and encourage users to choose different passwords for their system accounts and Web access. Periodically run password checkers that scan for weak passwords and accounts in which the username is also the password.

  1. Why am I asked for my password twice in some Web sites?

  1. Your browser keeps track of your password so that you do not have to type it for every request. The stored password is based on the realm (AuthName directive) and the hostname of the Web site. Sometimes you can access a Web site via different names, such as example.com and http://www.example.com. If you are authorized to access a certain restricted area of example.com but you are redirected or follow a link to http://www.example.com, you will be asked again to provide the username and password because your browser thinks it is a completely different Web site.

  • + Share This
  • 🔖 Save To Your Account