cancel
Showing results for 
Search instead for 
Did you mean: 

.htaccess password protection question

shermans
Pro
Posts: 1,303
Thanks: 101
Fixes: 3
Registered: ‎07-09-2007

.htaccess password protection question

Simple question.  Is there any way I can use .htaccess password protection but stop the device from remembering the password for future use ?  It may sound odd that I should want to do that, but there is a desktop computer used by several people which I cannot control and as things stand, the .htpassword is ineffective because anyone can go to the website on that computer and simply use the remembered password !

It would be impractical to change the method of password protection because it would involve so many users and too much work for what it is worth.  This is just a "nice to have" because there is no risk involved.  It would just be preferable to stop any nosy Tom, Dick or Harry using that computer to be able to gain access so easily - it is inviting them to be curious !  I am sure there are better and more feature full ways of password protecting a website, but it would be helpful if there was an attribute or other feature of .htaccess which could disable remembering the password !

Thanks to anyone who can help.

19 REPLIES 19
Baldrick1
Moderator
Moderator
Posts: 11,625
Thanks: 5,166
Fixes: 415
Registered: ‎30-06-2016

Re: .htaccess password protection question

@shermans 

The question that comes to my mind is why is your computer remembering passwords? Presumably it is a setting somewhere? I know that some browsers ask if you want it to be remembered, however these have a no never box and you are never asked again. I assume that you can also delete saved passwords in the settings.

I keep all my important passwords in a password safe installed onto an USB memory stick. These can be simply copied and pasted when required. As far as I am aware there are no easily accessed passwords present on the computer when the USB stick is removed and placed in a safe place.

Moderator and Customer
If this helped - select the Thumb
If it fixed it,  help others - select 'This Fixed My Problem'

shermans
Pro
Posts: 1,303
Thanks: 101
Fixes: 3
Registered: ‎07-09-2007

Re: .htaccess password protection question

I should have made it clearer.  The computer is not under my control - it is located in an office elsewhere and access to my website is needed by someone who uses that project computer not all the time, but just as required.

However, that computer is also used by others unconnected with my project.  That is why my website is password protected, but I had not bargained on other people using that computer, who do not have involvement with the project, being able to see what is going on because the password is automatically saved !  I have asked whether the Windows settings could be changed to prevent passwords being saved, but it has been refused because it would be inconvenient for many other users involved on unrelated projects having to keep entering their password for their projects.

My project is more sensitive and therefore needs more security, but it does not warrant a dedicated computer at that location.  My user would have to go up several floors to his computer in his own office each time he needed access if he did not have access to the website on the computer used by others.  That is why I want to be able to stop the password being saved on this multi-user computer.

RobPN
Seasoned Hero
Posts: 5,103
Thanks: 2,668
Fixes: 13
Registered: ‎17-05-2013

Re: .htaccess password protection question

@shermans 

I don't have any experience of having to share computers so I may be barking up the wrong tree.

Do all the users on the multi-user computer use the same account, i.e. do not have their own login credentials?

If not, does the computer in question store passwords from each user across all user-accounts?

 

Mook
Seasoned Champion
Posts: 1,266
Thanks: 870
Fixes: 9
Registered: ‎27-12-2019

Re: .htaccess password protection question

@shermans - I'd use a cron job with a shell script to generate a new random password for the site, the script then updates the .htaccess file and emails the new password to those entitled to access it. Sorted.

shermans
Pro
Posts: 1,303
Thanks: 101
Fixes: 3
Registered: ‎07-09-2007

Re: .htaccess password protection question

Good question.  The answer is that I do not know as it is not on my premises and I have no access / control of it.  It is a central work station in an open office environment to which anyone may have access.  It is just a facility for users - a bit like a hot desk - in a workshop to enable staff to have reference to the internet and project files.  So anyone can access almost anything relevant to their own projects. Only my project is sensitive and really needs password protection.  Presumably if a user wanted to, for instance, look at his email, he would have to log in in the normal way but their credentials would be stored as well, so it would not be sensible to use the computer for that sort of purpose as things stand.  The chap that is involved in my project does not absolutely need to use the computer for the purpose of his work, but it would mean going off to his own office instead just to find a reference detail which at present he does on the hot-desk computer.  So it is a convenience.  If I cannot find a simple solution to the .htpassword being saved, then it will be necessary to stop the hot-desk from being used for this purpose, which would be inconvenient.

Baldrick1
Moderator
Moderator
Posts: 11,625
Thanks: 5,166
Fixes: 415
Registered: ‎30-06-2016

Re: .htaccess password protection question

Before I retired I worked in an organisation where data security was considered important. I can just imagine the reaction to this sort of working arrangement.

Moderator and Customer
If this helped - select the Thumb
If it fixed it,  help others - select 'This Fixed My Problem'

shermans
Pro
Posts: 1,303
Thanks: 101
Fixes: 3
Registered: ‎07-09-2007

Re: .htaccess password protection question

Thanks for that idea.  The disadvantage of a cron script is that the password would then change regularly and the user would have to access his email to find the current password.  I may end up having to do something like that but I had hoped there might be an attribute of some sort to add to the .htpassword to prevent it being saved, but it does not look like that solution exists at all.  Cron it may have to be.

Having Googled for a solution, it appears that passively disabling the saving of passwords is frowned upon because it discourages people from using complex passwords because they are difficult to remember - even though it makes a password useless in a  shared hardware environment !

shermans
Pro
Posts: 1,303
Thanks: 101
Fixes: 3
Registered: ‎07-09-2007

Re: .htaccess password protection question


@Baldrick1 wrote:

Before I retired I worked in an organisation where data security was considered important. I can just imagine the reaction to this sort of working arrangement.


Precisely but it is not within my sphere of influence.  What is currently an efficient way of working has become a nightmare due to this password saving issue, and means that the user will have to be instructed to stop using the shared computer.  No wonder productivity is such an issue in our economy when silly things like this cannot be overcome without complex solutions.

Mook
Seasoned Champion
Posts: 1,266
Thanks: 870
Fixes: 9
Registered: ‎27-12-2019

Re: .htaccess password protection question


@shermans wrote:

The disadvantage of a cron script is that the password would then change regularly and the user would have to access his email to find the current password. 


Well that would depend on how often it was done @shermans. To minimise this I'd be inclined to run this at night when there's limited staff. That way the new password would be in their Inbox for in the morning.
 
If the users finds this inconvenient then ask them if they just want to remove the .htaccess control, if they start to choke on their coffee and rant on about security then tell them this is the best you have and they'll have to put up with it. They can't have it both ways.

 

VileReynard
Hero
Posts: 12,616
Thanks: 582
Fixes: 20
Registered: ‎01-09-2007

Re: .htaccess password protection question

Use a password that consists of a PIN code where you "randomly" choose, say 4 out of 8 digits - it won't matter if they save the "password".

"In The Beginning Was The Word, And The Word Was Aardvark."

shermans
Pro
Posts: 1,303
Thanks: 101
Fixes: 3
Registered: ‎07-09-2007

Re: .htaccess password protection question

This sounds intriguing, but I am afraid I do not quite understand.  I am being stupid.  If the password is say 12345678 but I have to enter four of the digits, say 2468, then Windows will save 2468, and anyone accessing the computer will be presented with the saved password 2468 and be able to enter the website.  I am obviously not understanding something correctly !

VileReynard
Hero
Posts: 12,616
Thanks: 582
Fixes: 20
Registered: ‎01-09-2007

Re: .htaccess password protection question

Because you randomly choose the digits - say next time 1356 - the stored password would correspond to characters 2468 from the previous time and would almost certainly be different.

Example:- Suppose the password = 'PASSWORD'

Characters 2,4,6,8 = ASOD

Characters 1,3,5,6 = PSWO

Since you can use a pseudo-random number generator to generate the number positions, its difficult to predict what the entered "password" should be.

This works with variable length passwords too & you can ask for digits in any order - e.g. characters 7,5,1,4 😀

You could do this sort of thing with a bit of Javascript.

"In The Beginning Was The Word, And The Word Was Aardvark."

Mook
Seasoned Champion
Posts: 1,266
Thanks: 870
Fixes: 9
Registered: ‎27-12-2019

Re: .htaccess password protection question

As different as this approach is I don't think it's practical as it requires that you disable the .htaccess file. This then means you have no protection on the site so need to include the JS in every HTML page.

The password needs caching so that on navigation the user isn't repeatedly asked for a password. You would also have to ensure that future additions to the site included the JS file.

shermans
Pro
Posts: 1,303
Thanks: 101
Fixes: 3
Registered: ‎07-09-2007

Re: .htaccess password protection question

Thanks for all the ideas.  I will try to resolve it with them.