You can: - Use SSL for login page. But I think the mixture of http/https session is solved better in D7 - Use another login mechanism, like send directly md5 hash to the server. This way your password is "safe" (don't correct me on this word ;-) ). However, any attacker can capture your packets and replay the login without any difficulty.
-- Hai-Nam Nguyen (aka jcisio) http://jcisio.com On Sun, Jan 9, 2011 at 9:36 AM, Austin Einter <austin.ein...@gmail.com> wrote: > Hi All > I just made a site using Drupal6.2 and in front page I have kept "user > login" block. I hosted this site using some third party web server. > > I tried to login to new site from my PC using my user name and password and > prior to that I was capturing the packets those were being send/received by > my PC. > By checking few packets content I could figure out the user name and > password in plain text. > > So it looks others can see these packets and get the administrative user > name and corresponding password and hence can modify site content and it is > really dangerous. > I assume people must have thought of it and there should be some way to make > sure username and password should be encrypted by default hence avoidimg > third party role in site content modification. > > Please guide in this regard and provide some pointers how can I make > username/password secure while logging in sites based on Drupal. > > Regards > Austin > >
