protecting a freeweb

[eruheru]

hey all,

im making a website on freewebs that only certain people are allowed to access, how can i password protect the site?

[RyanJ]

hey all' date='

im making a website on freewebs that only certain people are allowed to access, how can i password protect the site?[/quote']

 

.htaccess maybe? Its the best solution I can think of unless your looking for a user register & login system.

 

Cheers,

 

Ryan Jones

[NeonBlack]

.htaccess maybe?

 

Can you do that on freewebs?

I'm pretty sure that there's no php on freewebs either, so I'm guessing that the best you can do is a JS or flash password protection.

[ecoli]

why bother... what are the chances of people randomly stumbling on your site, anyway. And if you don't give out the URL to wrong people than you shouldn't have a problem.

[RyanJ]

Can you do that on freewebs?

I'm pretty sure that there's no php on freewebs either' date=' so I'm guessing that the best you can do is a JS or flash password protection.[/quote']

 

I'm not shure but ecoli makes a good point, give the link onlyto the people you want to see it and don't post the link on the internet so the bots can't pick it up. That should do the trick.

 

If freewebs don't allow .htaccess and or PHP I suggest you find yourself a better host.

 

Cheers,

 

Ryan Jones

[eruheru]

Can you do that on freewebs?

I'm pretty sure that there's no php on freewebs either' date=' so I'm guessing that the best you can do is a JS or flash password protection.[/quote']

how would you do it with JS?

[eruheru]

i think ill change from freewebs. what do you suggest?

[RyanJ]

how would you do it with JS?

 

Client Side codes do not work because they can be dispbled, you need something server side.

 

Cheers,

 

Ryan Jones

[Dak]

iirc, freewebs offers some server-side gubbins, but i can't remember which, and it might be limited to server-side includes.

 

i remember seing something about password-protecting folders in the FAQ section on the freeweb account page, so the answre should be there.

[eruheru]

iirc' date=' freewebs offers some server-side gubbins, but i can't remember which, and it might be limited to server-side includes.

 

i remember seing something about password-protecting folders in the FAQ section on the freeweb account page, so the answre should be there.[/quote']

you need a premium account for that, and i dont want to pay for it.

[NeonBlack]

You really need to consider these things:

1. What are you protecting?

2. Whom are you protecting it from?

3. What level of protection do you want/need?

[Nezumi]

I liked creating password screen with macromedia flash.

[RyanJ]

I liked creating password screen with macromedia flash.

 

Like I said there is one major dissadvantage with using client side files, they can be downloadd and the password grabbed from the file.

 

ALWAYS use server side code where possble.

 

Cheers,

 

Ryan Jones

[Klaynos]

Also lots of people don't have flash. And that is VERY heavy way of creating a password protected thing...

[the tree]

heh, Freewebs will do password protection for free anyways.

[5614]

It's actually quite hard to get a password from a .swf file. I'm not saying we can't do it, but remember that it's not obvious to the average person.

 

Also this is only a personal website, if he only gives out the URL to specific people... it's like what NeonBlack said: What protecting? From who? How much security do you want?

 

Klaynos; what do you mean it is a "heavy" way of creating a password?

 

RyanJ; I don't use freewebs, but from what I've read here I'm getting the idea that they don't allow server side scripts/code, so whilst what you say is a good general security point, it is not so applicable/useful here. Unless they do allow server side scripts...

[Klaynos]

System intencive for the user and bandwidth intencive for the server. Compared to a simple .htaccess... Most free hosts I've come accross alow limited use. Althouth I cannot comment explicetly.

[padren]

You could probably code some sort of one-way encryption into a flash file, and embed the hash. Then, a person types the password, it encrypts it, and compares what they typed to the hash that is stored in the flash file.

 

Its not ideal, as someone can download it, crack it open, and run a brute force challange of 00000000000000000000... through 11111111111111111111... on their own computer until they find the hash that matches to steal your password.

 

A funky way would to use the hash, then name the targetted file you want to hide <that_hash>.htm

 

instead of storing the correct hash in the flash, you link to the page, and it does a 404 error when wrong. Once someone gets through once, they could pass the link to anyone of course.

 

If you trust the people you want to see it, just call it OpenSesame.htm and no one will be able to find it if they don't type in the exact link - no password protection.

[CanadaAotS]

Ok, so at this point I'm sure were all just curious.

 

What are you putting on a freeweb site that you would need to have password protected?

[RyanJ]

RyanJ; I don't use freewebs' date=' but from what I've read here I'm getting the idea that they don't allow server side scripts/code, so whilst what you say is a good general security point, it is not so applicable/useful here. Unless they do allow server side scripts...[/quote']

 

No I know which is why they are useless as a host. If the person can see the code it can be easily broken, thing like JS and flash are no good for exactly the reason which I was trying to make

 

Cheers,

 

Ryan Jones

[5614]

If I had a .swf file and I want to see the code in it then what would I do? Convert it to .fla ? How? Because I've never found a proper working .swf to .fla converter.

 

And I second what CanadaAotS said... what is it you wanna protect?!?

[RyanJ]

If I had a .swf file and I want to see the code in it then what would I do? Convert it to .fla ? How? Because I've never found a proper working .swf to .fla converter.

 

Probably the best way would be hard code the internal password with an MD5 encription and then do that for the input check - even if they download the file they will not get the access password

 

Cheers,

 

Ryan Jones

[padren]

Probably the best way would be hard code the internal password with an MD5 encription and then do that for the input check - even if they download the file they will not get the access password

 

Cheers' date='

 

Ryan Jones[/quote']

 

but they could brute force a text string in a loop until they found the matching md5 hash result that is embedded in the swf. Also, if you embed the password, do you embed the content?

What does the flash show you when the password is correct?

 

You really should go with .htaccess if you want to protect files.

 

Try to google for "free web hosting" + password + ".htaccess" or something, when you compare the time it takes to write a "quasi" functional client-side system vs. the time to find a decent free host that allows server side password protection, I think you'll find its better to go the server side route.

[RyanJ]

but they could brute force a text string in a loop until they found the matching md5 hash result that is embedded in the swf. Also' date=' if you embed the password, do you embed the content?

What does the flash show you when the password is correct? [/quote']

 

Put it this way brute force and a password whos length over 6 characters encoded just does not work.

 

Show... it does not have to show anything, all it needs to do is some sort of coded redirect.

 

Cheers,

 

Ryan Jones

[padren]

Put it this way brute force and a password whos length over 6 characters encoded just does not work.

 

Show... it does not have to show anything' date=' all it needs to do is some sort of coded redirect.

 

Cheers,

 

Ryan Jones[/quote']

 

http://www.securiteam.com/tools/5WP031FA0U.html

 

You could md5 the redirection URL too, but one the person saw the new URL they got redirected to, they could bypass the password system after that point.

You may as well hand out the redirection URL to people instead of the password.