Password Protected Directories exposed, any ideas why?

**BHR** · 08-03-2008 02:49 PM

Hello everyone,

Yesterday I created a directory (not in the public folder) and used the security service of Bluehost to password protect the directory. When entered the password for a new user, (password showed as dots) created the password but exposed the password on the next screen with the username.

Has anyone had this problem? I think this is a serious security flaw on top that is not a secure connection, I think (not https). Any thoughts?

Any ideas and advice of this matter will appreciate.

Thanks!
BHR

**vegasgwm** · 08-04-2008 09:44 AM

If I understood you correctly...
i don't think this is a security issue at all, unless you have someone watching over your shoulder when you make the changes. The password is not exposed, the next screens just showed you what the new settings are.
No one else is(should be) seeing that page, but you.

**Eriksrocks** · 08-04-2008 07:02 PM

It shouldn't be that much of an issue. If you're concerned about it, use a sperate htaccess generator like this one to generate the lines in .htaccess that you need, and then put them in manually.

**BHR** · 08-05-2008 04:45 AM

Originally Posted by vegasgwm

If I understood you correctly...
i don't think this is a security issue at all, unless you have someone watching over your shoulder when you make the changes. The password is not exposed, the next screens just showed you what the new settings are.
No one else is(should be) seeing that page, but you.

Yes, you understood me correctly. That is true what you said, however, when it comes to security it shouldn't be displayed. The reason I asked the question is because I want to store sensitive information to that folder.

Do you recommend putting sensitive information through a webhost like BlueHost? I like to have a backup of my files somewhere else than home. Also considering encrypting the folder or files.

How about the connection through my account is http and not https?

Thanks!
BHR

**BHR** · 08-05-2008 04:50 AM

Originally Posted by Eriksrocks

It shouldn't be that much of an issue. If you're concerned about it, use a sperate htaccess generator like this one to generate the lines in .htaccess that you need, and then put them in manually.

I like your idea. It makes me feel secure. I will try that.

How about encrypting the folder and files?

Thanks!
BHR

**wysiwyg** · 08-05-2008 05:41 AM

If you don't want somebody to see it, don't put it on the internet.

**Early Out** · 08-05-2008 06:05 AM

Originally Posted by wysiwyg

If you don't want somebody to see it, don't put it on the internet.

This an exceptionally stupid blanket statement. You don't seriously believe this, do you?

First example: a professional photographer puts up proofs of photos from 3 different weddings. For reasons of privacy, he wants only the families to be able to view the pics. The simple way to do this is with passwords on the directories. Sure, that won't stop the truly determined hacker, but what hacker would spend the time and energy required to bust into a directory with a bunch of wedding cake pictures?

Second example: in the folders above public_html, there's all kinds of stuff that's absolutely required for many websites to work at all, but that you don't want people to be able to access directly. These are already protected, so there's no need to put passwords on the directories - only the account owner can get to them, using ssh, an FTP client, or File Manager (through the Control Panel).

**wysiwyg** · 08-05-2008 06:21 AM

I will not partake in your straw man argument.

My opinion holds firm regardless of your stance on the subject.

**Early Out** · 08-05-2008 06:24 AM

Originally Posted by wysiwyg

I will not partake in your straw man argument.

My opinion holds firm regardless of your stance on the subject.

Translation - "I'm stuck for an answer."

**BHR** · 08-05-2008 08:04 AM

Originally Posted by wysiwyg

I will not partake in your straw man argument.

My opinion holds firm regardless of your stance on the subject.

To some degree you're correct, however, having said that we have to agree that today world revolve around digital information that include sensitive information. Early Out brought out a good point, I would add to his comment like having your house protected against criminals or strangers which includes installing alarm system, a big dog, surveillance system, etc. But you only want people you do know to come in the house.

You and I can access credit reports which include our SS number, birth date, and other sensitive data in the comfort of our home using the internet, with of course good security systems in place to protect that sensitive information. Other examples are applying for a loan, accessing account information and the like.

Putting information out there for people you don't want them to see is correct, but you can still do it in a secure way (installing security measures).

Thanks for your comment!
BHR

Thread: Password Protected Directories exposed, any ideas why?

Thread Tools

Display

Password Protected Directories exposed, any ideas why?

Posting Permissions