W3C home > Mailing lists > Public > ietf-tls@w3.org > July to September 1996

Re: Repost of CompuServe Position on Passphrases

From: Jeff Weinstein <jsw@netscape.com>
Date: Thu, 25 Jul 1996 03:33:42 -0700
Message-ID: <31F74D86.44ED@netscape.com>
To: John Macko <jmacko@nisa.compuserve.com>
CC: ietf-tls@w3.org
John Macko wrote:
> PASS PHRASES ARE INSECURE--One sometimes hears the argument that pass
> phrases are inherently insecure. Generally, there are three such
> arguments, all false.

  Here is one of my objections to passwords.

  I believe that the following are facts:

	1) many people send their passwords in the clear over the internet
	   every day.  Many of the protocols used on the internet
	   use passwords sent in the clear, and lots of people
	   (the majority?) use these protocols without underlying
	   encryption such as SSL.

	2) many (most?) people reuse their passwords.

  If someone snoops passwords from major sites on the internet that
use HTTP basic authentication, I believe that they will find a
significant percentage of people using the same password that
they use for your system.

	--Jeff

-- 
Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation
jsw@netscape.com - http://home.netscape.com/people/jsw
Any opinions expressed above are mine.
Received on Thursday, 25 July 1996 06:35:53 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:34:50 EDT