So, if I understand this right, you have people asking you to post a name and password to get at information elsewhere. Basically, they are just too lazy to write it down or keep track of it themselves. That's probably OK, because they are likely the kind of people who's habits are, um, less than secure. If you were to do something, like have a little cgi, or redirect that knew how to get to the content providers page, then your staff could go to a link, get the info they want, but they themselves would never actually know the password. That way they get the access they want without having to remember anything, and you can say "I never told them." It might mean a little work to keep the things fresh, but I think you're in that boat anyway. As far as the particulars, someone else can help you better with the choice of authentication implementation. I figure that even if it were in plaintext in a redirect, it's at least not being done by hand. If your vendors use https, that'd probably be best. Just two cents worth, from a guy who should have been sleeping instead of getting an X-terminal to work. :) Phil On Sun, 1 Jul 2001, George Swan wrote: > Howdy: > > While I'm struggling through with the politics of this situation, > I thought, out of curiousity I'd post this "theoretical" scenerio > and see what folks here think---since many of you are so familiar > with security issues: > > In my workplace we purchase e-content from a number of outside > vendors. > > Some, as part of the contract, are required to provide us with > statistics on usage of their content. > > So... to provide these statistics to us, they provide us with username > and password to access the statistic archives and usage part of their > website. This, among other things, allows restricting us to just our data > and other customers to their data. > > Now, some of our people--for convenience--want me to post the > username and passwords for accessing these external vendors's > statistics websites to part of our staff web site. > > I say to myself, "It's risky enough sending username and passwords > in the same e-mail. Why would I want to ignore "common sense" and > post these "website access username/passwords" on a web server sub > directory even if I do protect it with .htaccess? Besides being > somewhat dumb? isn't that breaking confidence with your business > contact ---who has bothered to send username and passwords to you > in separate emails?" > > Questions: > 1) Am I being snitty or is .htaccess generally secure enough? > (My first instinct is: Nothing is completely secure; posting is dumb.) > 2) Not knowing what security measures the outside vendors have > taken, wouldn't posting these username/passwords at my end > be irresponsible business behavior? --or again am I being > snitty and paranoid? > (My first instinct is: If I naively provide this openning, it's > not just me and the vendor that can get hurt but the vendor's other > customers as well if the vendor get hacked.) > 3) In the context of work politics, if coworkers choose to > post them on web directories to which they have access, I cannot > stop them, but that doesn't mean I have to give them a helping hand. > (My instinct: there are limits to being a nice guy and helpful > support staff person! Aren't I being asked to put my professional > reputation on the line while the person(s) asking me to do this > are getting off risk free?) > > Anyone seen this kind of situation before and want to vent away, I'll be > reading them all. > > TIA, > > gs > > _______________________________________________ > tclug-list mailing list > tclug-list at mn-linux.org > https://mailman.mn-linux.org/mailman/listinfo/tclug-list > -- "To misattribute a quote is unforgivable." --Anonymous