So, if I understand this right, you have people asking you to post a name
and password to get at information elsewhere.  Basically, they are just
too lazy to write it down or keep track of it themselves.  That's probably
OK, because they are likely the kind of people who's habits are, um, less
than secure.

If you were to do something, like have a little cgi, or redirect that knew
how to get to the content providers page, then your staff could go to a
link, get the info they want, but they themselves would never actually
know the password.  That way they get the access they want without having
to remember anything, and you can say "I never told them."  It might mean
a little work to keep the things fresh, but I think you're in that boat
anyway.

As far as the particulars, someone else can help you better with the
choice of authentication implementation.  I figure that even if it were in
plaintext in a redirect, it's at least not being done by hand.  If your
vendors use https, that'd probably be best.

Just two cents worth, from a guy who should have been sleeping instead of
getting an X-terminal to work. :)

Phil

On Sun, 1 Jul 2001, George Swan wrote:

> Howdy:
> 
> While I'm struggling through with the politics of this situation,
> I thought, out of curiousity I'd post this "theoretical" scenerio
> and see what folks here think---since many of you are so familiar
> with security issues:
> 
> In my workplace we purchase e-content from a number of outside
> vendors.
> 
> Some, as part of the contract, are required to provide us with
> statistics on usage of their content.
> 
> So... to provide these statistics to us, they provide us with username
> and password to access the statistic archives and usage part of their
> website.  This, among other things, allows restricting us to just our data 
> and other customers to their data.
> 
> Now, some of our people--for convenience--want me to post the
> username and passwords for accessing these external vendors's
> statistics websites to part of our staff web site.
> 
> I say to myself, "It's risky enough sending username and passwords
> in the same e-mail.  Why would I want to ignore "common sense" and
> post these "website access username/passwords" on a web server sub 
> directory even if I do protect it with .htaccess?  Besides being
> somewhat dumb? isn't that breaking confidence with your business
> contact ---who has bothered to send username and passwords to you
> in separate emails?"
> 
> Questions:
> 1) Am I being snitty or is .htaccess generally secure enough?
> (My first instinct is: Nothing is completely secure; posting is dumb.)
> 2) Not knowing what security measures the outside vendors have
> taken, wouldn't posting these username/passwords at my end
> be irresponsible business behavior?  --or again am I being
> snitty and paranoid?
> (My first instinct is: If I naively provide this openning, it's
> not just me and the vendor that can get hurt but the vendor's other
> customers as well if the vendor get hacked.)
> 3) In the context of work politics, if coworkers choose to
> post them on web directories to which they have access, I cannot
> stop them, but that doesn't mean I have to give them a helping hand.
> (My instinct: there are limits to being a nice guy and helpful
> support staff person! Aren't I being asked to put my professional
> reputation on the line while the person(s) asking me to do this
> are getting off risk free?)
> 
> Anyone seen this kind of situation before and want to vent away, I'll be 
> reading them all.
> 
> TIA,
> 
> gs
> 
> _______________________________________________
> tclug-list mailing list
> tclug-list at mn-linux.org
> https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> 

-- 
"To misattribute a quote is unforgivable." --Anonymous