PassWord 4.x applet
The hacker at work:
Hide your directory content:
There should be some things that you should keep in mind.
The directory containing the hidden- and or users password files should not be accessible from the Internet.
Most providers do not allow visitors to see the content of a directory.
For example http://someserver/mydirectory/ should not show the content of mydirectory.
If you can see the content then place an index.html or index.htm file in it.
Instead of displaying the content the hacker will see the index.html file.
Some providers use another name instead of index.html
Don't let the hacker register your hidden page:
Another hack will be when someone registers your hidden Internet page to a search engine.
Well this is bad.
Adding this tag will solve the issue for most search engines
<META NAME="ROBOT" CONTENT="NOINDEX,NOFOLLOW">
The brute force attack:
This password applet can be configured to use multiple password files.
Each user could have its own password file.
In this setup the password entered is decrypted to the users password file name.
For convenience you might want to use short passwords resulting in many short password file names.
But this makes the applet vulnerable to a brute force attack.
With a brute force attack the hacker tries to guess a password.
Sins there are multiple short password file names there is a good change that he might succeed.
Remember that he can get the decryption algorithm by reverse engineering the applet.
The work around is to add the user name into the password file.
By default the applet will only use the last two lines of the password file.
But if he encounters the username it will use the next two lines.
So the password file should look like this:
bla bla bla
If username does mach it will go to the hiddenfilename.html in a new browser window.
Note: _blanc is a special html frame target name it causes the browser to open the page into a new browser window.
If the username isn't found the last two lines are used.
In this case the denial page will replace the existing window caused by the _self frame name.
In this case there should be no lines after _self!
Don't show debug info:
The applet has a parameter that displays additional information on the browsers Java console.
Also Ms Explorer has such console (tools,options,advanced,enable javaconsole). Its should be used for debuging purposes only.
It also shows the content of the password file.
A password file can contain login for multiple users !!
So <PARAM NAME"debug" VALUE="false">