Password protection

I need a scheme to give people password access to JavaScript quizzes that
I have.
I've done a lot of programming but almost no JS.

Probably one password per person for each of five tests.

I suspect I will be maintaining the lists but if there is a *very* easy
routine that an end user could use it would be nice.
It usually takes more than five visits to get this guy up on anything new.

Any ideas where I might find such a beast?
I've been looking but with little luck so far.

In article <d6ucb.157716$3o3.11280827 (AT) bgtnsc05-news (DOT) ops.worldnet.att.net>,
"Mike Painter" <mdotpainter (AT) att (DOT) net> writes:

Quote:

I need a scheme to give people password access to JavaScript quizzes that
I have.
I've done a lot of programming but almost no JS.

Use a server side language (PHP, ASP, Server Side Javascript, etc.) Anything
you try to do in the browser, with regards to multiple users/passwords, will
fail.

Although Jim Ley showed me a page that is "password protected" that is pretty
spiffy. I have yet to break it. But, it doesn't contain the password in the
page, the password is a key to decrypting the page.

If the password is in the page, then it can/will be broken, and quite easily.
--
Randy

"HikksNotAtHome" <hikksnotathome (AT) aol (DOT) com> wrote

Quote:

In article <d6ucb.157716$3o3.11280827 (AT) bgtnsc05-news (DOT) ops.worldnet.att.net>,
"Mike Painter" <mdotpainter (AT) att (DOT) net> writes:

I need a scheme to give people password access to JavaScript quizzes
that
I have.
I've done a lot of programming but almost no JS.

Use a server side language (PHP, ASP, Server Side Javascript, etc.)
Anything
you try to do in the browser, with regards to multiple users/passwords,
will
fail.

Although Jim Ley showed me a page that is "password protected" that is
pretty
spiffy. I have yet to break it. But, it doesn't contain the password in
the
page, the password is a key to decrypting the page.

If the password is in the page, then it can/will be broken, and quite
easily.

Granted if the person is willing to work at it and has the skills and the
password is in the page and they can see the page and the encryption is
simple enough they can break it.

For that type I would probably use the simplest method I've seen and use the
name of the file as the password. Assuming they can't see what's on the
server that's about as secure as you can get.

99.999% of the people who will be taking these quizzes would be better off
studying or looking the answers up in the book.

Hi,

Mike Painter wrote:

Quote:

"HikksNotAtHome" <hikksnotathome (AT) aol (DOT) com> wrote in message
news:20030925005031.21457.00000858 (AT) mb-m10 (DOT) aol.com...

In article <d6ucb.157716$3o3.11280827 (AT) bgtnsc05-news (DOT) ops.worldnet.att.net>,
"Mike Painter" <mdotpainter (AT) att (DOT) net> writes:


I need a scheme to give people password access to JavaScript quizzes

that

I have.
I've done a lot of programming but almost no JS.

Use a server side language (PHP, ASP, Server Side Javascript, etc.)

Anything

you try to do in the browser, with regards to multiple users/passwords,

will

fail.

Although Jim Ley showed me a page that is "password protected" that is

pretty

spiffy. I have yet to break it. But, it doesn't contain the password in

the

page, the password is a key to decrypting the page.

If the password is in the page, then it can/will be broken, and quite

easily.

Granted if the person is willing to work at it and has the skills and the
password is in the page and they can see the page and the encryption is
simple enough they can break it.

For that type I would probably use the simplest method I've seen and use the
name of the file as the password. Assuming they can't see what's on the
server that's about as secure as you can get.

99.999% of the people who will be taking these quizzes would be better off
studying or looking the answers up in the book.

Then don't password protect them. If you do, you insult the intelligence
of those who are able to find the password. Just let them be responsible
for their own failure if they choose to look for the answers in the
page. It's not your problem anymore.

Anything you do on the client (even your file name = password trick) can
be easily defeated.

Laurent
--
Laurent Bugnion, GalaSoft
Webdesign, Java, javascript: http://www.galasoft-LB.ch
Private/Malaysia: http://mypage.bluewin.ch/lbugnion
Support children in Calcutta: http://www.calcutta-espoir.ch

Laurent Bugnion, GalaSoft wrote:

Quote:

Hi,

Mike Painter wrote:

"HikksNotAtHome" <hikksnotathome (AT) aol (DOT) com> wrote in message
news:20030925005031.21457.00000858 (AT) mb-m10 (DOT) aol.com...

In article
d6ucb.157716$3o3.11280827 (AT) bgtnsc05-news (DOT) ops.worldnet.att.net>,
"Mike Painter" <mdotpainter (AT) att (DOT) net> writes:


I need a scheme to give people password access to JavaScript quizzes


that

I have.
I've done a lot of programming but almost no JS.


Use a server side language (PHP, ASP, Server Side Javascript, etc.)


Anything

you try to do in the browser, with regards to multiple users/passwords,


will

fail.

Although Jim Ley showed me a page that is "password protected" that is


pretty

spiffy. I have yet to break it. But, it doesn't contain the password in


the

page, the password is a key to decrypting the page.

If the password is in the page, then it can/will be broken, and quite


easily.

Granted if the person is willing to work at it and has the skills and the
password is in the page and they can see the page and the encryption is
simple enough they can break it.

For that type I would probably use the simplest method I've seen and
use the
name of the file as the password. Assuming they can't see what's on the
server that's about as secure as you can get.

99.999% of the people who will be taking these quizzes would be better
off
studying or looking the answers up in the book.


Then don't password protect them. If you do, you insult the intelligence
of those who are able to find the password. Just let them be responsible
for their own failure if they choose to look for the answers in the
page. It's not your problem anymore.

Anything you do on the client (even your file name = password trick) can
be easily defeated.

Laurent
Actually, you can use javascript to securely password protect a page.

But the effort to maintain such a page is excessive.

In article <ixGcb.24145$an.2973 (AT) bignews6 (DOT) bellsouth.net>, Jerry Park
<NoReply (AT) No (DOT) Spam> writes:

Quote:

Actually, you can use javascript to securely password protect a page.
But the effort to maintain such a page is excessive.

And have the password in the page? Or are you referring to something like Jim
gave me? I can't find the link but the password was the key to the crypto. If
the password is in the page, its trivial to defeat it though.
--
Randy

"HikksNotAtHome" <hikksnotathome (AT) aol (DOT) com> wrote

Quote:

In article <ixGcb.24145$an.2973 (AT) bignews6 (DOT) bellsouth.net>, Jerry Park
NoReply (AT) No (DOT) Spam> writes:

Actually, you can use javascript to securely password protect a page.
But the effort to maintain such a page is excessive.

And have the password in the page? Or are you referring to something like
Jim
gave me? I can't find the link but the password was the key to the crypto.
If
the password is in the page, its trivial to defeat it though.
--
Randy

Assume these lines are in the body of the text:
***********
It may seem easy for some to find a password. However for most people the
job can be very difficult. At some point the user will give up before
finding it.
This especially true if the pages include files that don't appear on the
page.
***********
What is the password? (And it's not password?)

"Laurent Bugnion, GalaSoft" <galasoft-LB (AT) bluewin_NO_SPAM (DOT) ch> wrote in
message news:bkv7hb$jt4$1 (AT) rex (DOT) ip-plus.net...

Quote:

Hi,
snip
Anything you do on the client (even your file name = password trick) can
be easily defeated.

How can it be easily defeated?

In article <QdOcb.153435$0v4.11435861 (AT) bgtnsc04-news (DOT) ops.worldnet.att.net>,
"Mike Painter" <mdotpainter (AT) att (DOT) net> writes:

Quote:

Assume these lines are in the body of the text:
***********
It may seem easy for some to find a password. However for most people the
job can be very difficult. At some point the user will give up before
finding it.
This especially true if the pages include files that don't appear on the
page.
***********
What is the password? (And it's not password?)

OK, let me clarify what I said, so we aren't splitting words. If the password
is in the code, and defined as the password, then its trivial to defeat.
Meaning, you can obfuscate it, but if its defined in the code as being the
password, so that script can compare what the user inputs to it, then its
trivial to defeat.

Can you make it hard enough that most people will give up? Sure. Can you make
it impossible? Not if the password is defined in the code as being the password
(The crypto page doesn't have it defined in the page, its used as the key to
the crypto).

If you want a secure system, do it on the server. And not even that is entirely
"secure" but it beats the heck out of javascript security.
--
Randy

Hi,

Mike Painter wrote:

Quote:

"Laurent Bugnion, GalaSoft" <galasoft-LB (AT) bluewin_NO_SPAM (DOT) ch> wrote in
message news:bkv7hb$jt4$1 (AT) rex (DOT) ip-plus.net...

Hi,
snip
Anything you do on the client (even your file name = password trick) can
be easily defeated.


How can it be easily defeated?

Some browsers allow seeing everything on your server. It's then pretty
easy to find all the files it contains, and to load them.

If you have access to the server, it's very easy to set up password
protected directories for your users, and this way is much safer than
anything you can do on the client. Check htaccess in Google for details.
Of course, any security scheme can be defetaed eventually, but at least
you won't look like a fool for doing it on the client ;-)

Laurent
--
Laurent Bugnion, GalaSoft
Webdesign, Java, javascript: http://www.galasoft-LB.ch
Private/Malaysia: http://mypage.bluewin.ch/lbugnion
Support children in Calcutta: http://www.calcutta-espoir.ch