FreeFind Authorization Warning 
close window

Website passwords and security

The indexing of password protected sites is recommended for low security sites only.

YOU MUST USE JUDGEMENT IN DETERMINING WHICH PASSWORD PROTECTED SITES YOU INDEX.

For example, while you must make the final judgement, in our judgment we would NOT index password protected sites that contain high security content like:

  • Credit card numbers
  • Financial information
  • Medical records
  • Trade secrets
  • Confidential data
  • Other high security content

We would consider indexing password protected sites that include low security content like:

  • Members-only content and articles
  • Registered user support information
  • Subscription services
  • Other low security content

Before entering passwords

Some things you should keep in mind before entering user names and passwords into the FreeFind system.

1. Security for user names and passwords should be considered "low".

2. The search itself is not password protected A) anyone with your FreeFind site ID can run a search B) anyone with your search box HTML can run a search

3. FreeFind Site IDs are not secret A) they are not changeable so... 1. anyone who has run a search has the ID forever 2. they will leak out eventually 3. they are included in the URL a) URLs are logged in various places (servers, proxies) b) used as referrers in any link on the page B) valid IDs can be found by guessing (though to guess a specific ID is harder) C) they were never designed to be secret so there may be other leaks

4. The search results contain extracts from your password protected documents, areas around the searched for keyword are displayed

5. Your documents still ARE password protected, when a user clicks on a search result they must authenticate.

6. The username(s) and password(s) that you enter into the search engine control center are saved on our servers A) these usernames and passwords are transmitted to and from our servers in plain text B) these usernames and passwords are stored on our servers C) these usernames and passwords may be used by our support and engineering staffs in diagnosing problems and insuring proper system operation D) these usernames and passwords may be accessed by anyone who is able to log in to your FreeFind account E) these usernames and passwords may be accessed by anyone who is able to gain unauthorized access to our servers

7. Basic HTTP authorization (by definition) sends your username and password to your servers in what amounts to clear text

close window