Adding a pass to a webpage

Remove all ads!

I recently volunteered to build(and have built) a website for the company that i work for. The problem is that in order for them to accept this site, the schedules(12 pages for 12 departments) must be password protected. I recently found a program called 'Html Password Lock' but its only a trial version. I don't know any scripting (im using Frontpage) so matters are a little more difficult. Does anyone know an easy way to put a simply password on a specific page?
Thank you all for any help!

[ June 18, 2005, 11:31: Message edited by: Celesialraven ]

 

Where are you planning to store the password?

 

Za? I'm not sure i follow. As of now the program pretty much does it all automatically so i dont really know the nitty gritty details behind this sort of thing. I'm just hoping to have a blank page with a text box pop up demanding the password when someone clicks on the link to the page. It's only to keep away the curious, and doesnt need to be die-hard uber secure.

 

Well you can store the passwords in the HTML code itself, but that would easily be crackable since everyone can access the HTML code, and anyone who knows a bit of HTML can find and read your passwords.
Unless you hash them of course

I'll see what I can whip up for you with simple Javascript, been a long time since I worked with webpages.

Edit:
Finished, what I have done is to calculate a "checksum" on the correct password and store this checksum in the HTML file, and not the password!

The algorithm used in the calculation is the MD5 algorithm, this algorithm is theoretically unreversable, so bad people can't turn the calculation around to get the correct password from the checksum(

Here's the script:

Code:

<html>
  <script language="JavaScript" src="md5.js"></script>
  <head>
    <title> Hello World! </title>
  </head>
  <body>
    <script type="text/javascript">
      function login()
      {
        var correct_checksum = "7ac66c0f148de9519b8bd264312c4d64";

        /* If you use the prompt function to create a popup, the user can read what he enters,
         *  and that isn't very safe with passwords. */
         var user_checksum = hex_md5( prompt( "Enter the bloody password!" ));

        /* Check if the correct checksum is equal to the checksum of the password the user gave. */
        if( correct_checksum != user_checksum )
        {
          alert( "Wrong Password!" );
        }
          else
        {
          alert( "Correct password!\n Now! On to the dungeons of El Diablo!");
          window.location ="secret/top_secret/plan_to_dominate_world_without_pinky_and_getting_Anna_Kournikova";
        }
      }
    </script>

    <a href="" onClick="login();return false;">Login.</a>
  </body>
</html>

The string "7ac66c0f148de9519b8bd264312c4d64" is the result of the checksum calculation on the password "abcdefg", so when the user clicks on "Login" he will have to supply "abcdefg" as the password.
If the user did that correctly, he will be taken to my webpage on world-domination, this link you can replace with the schedule page.

If you want to use your own password, you will have to calculate the checksum of the password and replace the checksum in my script with yours.
The checksum can be obtained with:

Code:

<html>
  <script language="JavaScript" src="md5.js"></script>
  <head>
    <title> Hello World! </title>
  </head>
  <body>
    <script type="text/javascript">
      var password    = "enter_my_password_here";
      var checksum        = hex_md5( password );

      document.write( "The checksum for password: " + password + "<br> Is: " + checksum + "<br>" );

    </script>
  </body>
</html>

In which you replace the string "enter_my_password_here" with your password, and then load the page to get the checksum.


The "hex_md5" function that is used to calculate the checksum can be found in the "md5.js" Javascript file and this file needs to be stored in the same folder as the html-pages which use the "hex_md5" function.
The "md5.js" file can be downloaded freely from this site

Credits to the guy who wrote the md5 script of course.

Have fun with the code, and if you still have some questions, ask them.

[ June 18, 2005, 19:27: Message edited by: Blackthorne TA ]

 

You'd be better off with a PHP script and a database. That javascript check can be easily cracked by anyone who knows how to use their browser.

 

You can use .htaccess files. Do a google search on ".htaccess" to read how to make one, then upload it to the desired directory on your server. A tiny window will pop up, requiring a login and password.

Or you can use an HTML form with a PHP script. The problem is, you're going to need hidden forms with the password on every page and a password check-point also on every page you want to protect. This is why .htaccess is better for large sites. For a single page PHP will do. Note: if you want an external file to store the password, it needs to be another PHP script with just a variable definition. Store it in a .txt and you may as well give up already. While a .php file with password variable definition isn't probably 100% safe, it's a good start.

Here's a guide to .htaccess:

http://httpd.apache.org/docs/howto/htaccess.html

But if you want the password on one specific page only, there's no need to bother with separate directories and .htaccess and PHP is your way. Drop me a PM if you want me to add the code to your page. A simple password checkpoint (without a fancy change password function) is no biggie, I can do it for you in a couple of minutes.

If you're familiar with PHP, I can post the code right here, too.

 

Really? How?

Edit:
If you are talking about bruteforces, then yes, it can be easily "cracked", but I doubt that the people who access those schedules (or should not and do care) are *that* computer-savy, so there is no need to pull PHP out of the closet.

 

You don't need a brute force to crack an external JavaScript. All you need is the file address and then you can make a simple HTML file... do I really need to say the rest?

 

Right...

But still, if securing those schedules was important, do you really think they'd let some guy with no clue of web-scripting implement it?

What about placing the login-script in the schedule file and run that when the file is loaded? That's Gold I tell you!

 

Encrypting the download looks like the best idea. Way harder to break.

 

Firstly, thank you all for your suggestions. I do still have one little pickle however. Morgoth, where about would i paste the script that you provided? I have tried putting it directly onto the page but then i get a login option on the top of the fully provided page(or it disables part of the pages script). Yet, it will not work if it isnt directly on the needed page as one could then simply type in the full address to get around the password page. I'm beginning to think that im in way over my head here as i don't really understand java or .htaccess passwording. Once upon a time while in highschool i took classes on this stuff, but alas those days are over. I'll continue trying to figure some of this stuff out, but in the meantime, thanks again for all the suggestions.

Edit: Chev i just saw your offer and its too good to refuse. Thanks all!

[ June 19, 2005, 10:30: Message edited by: Celesialraven ]