Tech Member area security: Basic Authentication vs PHP session variables? - GoFuckYourself.com

dcortez · 04-21-2022, 02:09 AM

This is for a Linux/Apache environment...

Is anyone using Basic Authentication for password protection of membership areas?

Twenty years ago, I was using Basic Authentication, but the 8 char username and password length limits won't cut it today.

I understand that both username and passwords can be substantially longer and more contemporary encryption algorithms are now supported by Apache.

Any suggestions, or words of wisdom?

Thanks!

k0nr4d · 04-21-2022, 02:12 AM

There's a mix of this still, plenty still using http authentication.

If using php sessions you need to use URL signing/hashing for the video files, because they won't be protected otherwise.

dcortez · 04-21-2022, 10:13 AM

Quote:

Originally Posted by k0nr4d

There's a mix of this still, plenty still using http authentication.

If using php sessions you need to use URL signing/hashing for the video files, because they won't be protected otherwise.

Thanks for that.

I'm actually inclined to use Basic Authentication, and I just needed some assurances that it has not been totally abandoned for security limitations.

Then, there's the issue of which encryption scheme to use...

k0nr4d · 04-21-2022, 11:02 AM

Quote:

Originally Posted by dcortez

Thanks for that.

I'm actually inclined to use Basic Authentication, and I just needed some assurances that it has not been totally abandoned for security limitations.

Then, there's the issue of which encryption scheme to use...

It has not been abandoned, and there are no security issues with it other then that it doesn't natively offer any protection against bruteforce. If you are using Apache 2.4, then the algo you want to use to generate the passwords is bcrypt. None of the algos are INSECURE in practice. Google cracked SHA1 but a single phrase would apparently take a single GPU 110 years to crack so in practice no one is really gonna get through it. The only really insecure hash is unsalted MD5 because it can be reversed using rainbow tables.

dcortez · 04-21-2022, 11:18 AM

Quote:

Originally Posted by k0nr4d

It has not been abandoned, and there are no security issues with it other then that it doesn't natively offer any protection against bruteforce. If you are using Apache 2.4, then the algo you want to use to generate the passwords is bcrypt. None of the algos are INSECURE in practice. Google cracked SHA1 but a single phrase would apparently take a single GPU 110 years to crack so in practice no one is really gonna get through it. The only really insecure hash is unsalted MD5 because it can be reversed using rainbow tables.

Thank-you. I really appreciate all this information. It will save me a lot of time.

04-21-2022, 02:09 AM	#1
dcortez DINO CORTEZ™ Industry Role: Join Date: Jun 2003 Location: Vancouver Island Posts: 2,145	Member area security: Basic Authentication vs PHP session variables? This is for a Linux/Apache environment... Is anyone using Basic Authentication for password protection of membership areas? Twenty years ago, I was using Basic Authentication, but the 8 char username and password length limits won't cut it today. I understand that both username and passwords can be substantially longer and more contemporary encryption algorithms are now supported by Apache. Any suggestions, or words of wisdom? Thanks!

04-21-2022, 02:12 AM	#2
k0nr4d Confirmed User Industry Role: Join Date: Aug 2006 Location: Poland Posts: 9,228	There's a mix of this still, plenty still using http authentication. If using php sessions you need to use URL signing/hashing for the video files, because they won't be protected otherwise. __________________ Mechanical Bunny Media Mechbunny Tube Script \| Mechbunny Webcam Aggregator Script \| Custom Web Development