At work we have a series of changing passwords, they are based around the date. For example, the least secure of our passwords would be worked out something like: 9999 - mmdd = password So if the date is April 02 2009, then the mmdd string would be 0402. The password would be calculated as 9999 - 0402 = 9597 Although the password would only change once a day, I am sure from this you could engineer something to change per hour or even minute if desired? -----Original Message----- From: ml@xxxxxxxxx [mailto:ml@xxxxxxxxx] Sent: 02 April 2009 11:12 To: users@xxxxxxxxxxxxxxxx Subject: Looking for cheap and secure Authentification - Build own OTP? Hello List, we would like to protect a Web-Application Server (lets say Outlook Webaccess or whatever) by using a Reverse Proxy / Apache. This works out quite well so far. - - - Now we would like to add an Authentification, so that only Users who pass the Reverse Proxy auth, will get to the Web-App login. This can be done by some htacces and static passwords. The disatvantage is, that this are static passwords and they could be stored by keyloggers. So we need some kind of one time passwords (OTP). Is there a way to add some random "salt" to the http authentification? - - - I had the following idea (http://i39.tinypic.com/zmyyjs.jpg): The User gets to some Login Page (PHP) where he enters his Username/Password. Then PHP asks him for his 3, 6 and 12 Digit of his Passport-ID (this can be random). After submitting this, we could set this User/Password+(Append RandomNumber) combinations in a Database where htaccess could try to auth against. This would mean, that the user wold have to enter his Login-Information AGAIN using User/Password+(Appended RandomNumber). Is there a way to get rid of the http access prompt? Or is there maybe a complete other way to do a secure and cheap OTP authentification? Any ideas? Cheers, Mario --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx ********************************************************************** Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you must not copy, distribute or take any action in reliance to it. In such case, you should destroy this message and kindly notify the sender by reply email. Please advise immediately if you or your employer do not consent to Internet email for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of Minorplanet Systems plc shall be understood as neither given nor endorsed by it. Minorplanet Systems plc, Registration no: 3372097 Minorplanet Limited, Registration no: 4072786 Greenwich House, 223 North Street, Leeds, LS7 2AA VAT #: 698 1438 86 ********************************************************************** --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|