- From: Paul Leach <paulle@microsoft.com>
- Date: Wed, 2 Sep 1998 13:03:33 -0700
- To: 'Dave Kristol' <dmk@research.bell-labs.com>, http-wg@hplb.hpl.hp.com
How about this: This is the preceding paragraph (for context): A common use of Basic authentication is for identification purposes -- requiring the user to provide a user name and password as a means of identification, for example, for purposes of gathering accurate usage statistics on a server. When used in this way it is tempting to think that there is no danger in its use if illicit access to the protected documents is not a major concern. This is only correct if the server issues both user name and password to the users and in particular does not allow the user to choose his or her own password. The danger arises because naive users frequently reuse a single password to avoid the task of maintaining multiple passwords. This is the proposed replacement for the paragraph in question: If a server permits users to select their own passwords, then the threat is not only illicit access to documents on the server but also illicit access to any other resources on other systems that the user protects with the same password. Furthermore, in the server's password database, many of the passwords may also be users' passwords for other sites. The owner or administrator of such a system could conceivably incur liability if this information is not maintained in a secure fashion. > -----Original Message----- > From: Dave Kristol [mailto:dmk@research.bell-labs.com] > Sent: Thursday, August 20, 1998 12:26 PM > To: http-wg@hplb.hpl.hp.com > Subject: authentication-02: threat of snooped password > > > If a server permits users to select their own passwords, > then the threat > is not only illicit access to documents on the server but > also illicit > access to the accounts of all users who have chosen to > use their account > password. If users are allowed to choose their own > password that also > means the server must maintain files containing the (presumably > encrypted) passwords. Many of these may be the account > passwords of > users perhaps at distant sites. The owner or > administrator of such a > system could conceivably incur liability if this > information is not > maintained in a secure fashion. > > This paragraph surprises me a little. It seems to me that if I choose > as a password some kind of account password, then the threat > is only to > me and all the accounts that share the password. I don't see how this > allows "illicit access to the accounts of all users who have chosen to > use their account password." If an adversary grabs my password, how > does that open a risk to other users? > > I think what was meant here is said better and more succinctly in > Section 4.4: > > The greatest threat to the type of transactions for which these > protocols are used is network snooping. This kind of transaction > might involve, for example, online access to a database whose use > is restricted to paying subscribers. With Basic authentication an > eavesdropper can obtain the password of the user. This not only > permits him to access anything in the database, but, often worse, > will permit access to anything else the user protects with the > same password. > > Dave Kristol >
Received on Wednesday, 2 September 1998 13:06:57 UTC