W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1998

RE: authentication-02: threat of snooped password

From: Paul Leach <paulle@microsoft.com>
Date: Wed, 2 Sep 1998 13:03:33 -0700
Message-Id: <CB6657D3A5E0D111A97700805FFE65875D7594@RED-MSG-51>
To: 'Dave Kristol' <dmk@research.bell-labs.com>, http-wg@hplb.hpl.hp.com
How about this:

This is the preceding paragraph (for context):

A common use of Basic authentication is for identification purposes --
requiring the user to provide a user name and password as a means of
identification, for example, for purposes of gathering accurate usage
statistics on a server. When used in this way it is tempting to think that
there is no danger in its use if illicit access to the protected documents
is not a major concern. This is only correct if the server issues both user
name and password to the users and in particular does not allow the user to
choose his or her own password. The danger arises because naive users
frequently reuse a single password to avoid the task of maintaining multiple
passwords.

This is the proposed replacement for the paragraph in question:

If a server permits users to select their own passwords, then the threat is
not only illicit access to documents on the server but also illicit access
to any other resources on other systems that the user protects with the same
password. Furthermore, in the server's password database, many of the
passwords may also be users' passwords for other sites. The owner or
administrator of such a system could conceivably incur liability if this
information is not maintained in a secure fashion.

> -----Original Message-----
> From: Dave Kristol [mailto:dmk@research.bell-labs.com]
> Sent: Thursday, August 20, 1998 12:26 PM
> To: http-wg@hplb.hpl.hp.com
> Subject: authentication-02: threat of snooped password
> 
> 
>     If a server permits users to select their own passwords, 
> then the threat
>     is not only illicit access to documents on the server but 
> also illicit
>     access to the accounts of all users who have chosen to 
> use their account
>     password. If users are allowed to choose their own 
> password that also
>     means the server must maintain files containing the (presumably
>     encrypted) passwords. Many of these may be the account 
> passwords of
>     users perhaps at distant sites. The owner or 
> administrator of such a
>     system could conceivably incur liability if this 
> information is not
>     maintained in a secure fashion.
> 
> This paragraph surprises me a little.  It seems to me that if I choose
> as a password some kind of account password, then the threat 
> is only to
> me and all the accounts that share the password.  I don't see how this
> allows "illicit access to the accounts of all users who have chosen to
> use their account password."  If an adversary grabs my password, how
> does that open a risk to other users?
> 
> I think what was meant here is said better and more succinctly in
> Section 4.4:
> 
>     The greatest threat to the type of transactions for which these
>     protocols are used is network snooping. This kind of transaction
>     might involve, for example, online access to a database whose use
>     is restricted to paying subscribers. With Basic authentication an
>     eavesdropper can obtain the password of the user. This not only
>     permits him to access anything in the database, but, often worse,
>     will permit access to anything else the user protects with the
>     same password.
> 
> Dave Kristol
> 
Received on Wednesday, 2 September 1998 13:06:57 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:23 EDT