[Prev][Next][Index][Thread]
Re: Repost of CompuServe Position on Passphrases
David P. Kemp wrote:
>
> > From ietf-tls-request@w3.org Thu Jul 25 06:36:35 1996
> > Resent-Date: Thu, 25 Jul 1996 06:36:08 -0400
> From: Jeff Weinstein <jsw@netscape.com>
>
> > 2) many (most?) people reuse their passwords.
>
> That is a good argument for requiring that users not be allowed
> to choose their passwords. Isn't that standard practice at most
> web sites that use basic auth - the content provider, not the user,
> picks the password?
I have accounts on over a dozen sites that use basic auth on
the internet. In every case I provided my own username and
password. If these sites forced passwords on users they would
end up with a lot less subscribers.
> Don't get me wrong - I believe there is not a single good thing
> that can be said about static passwords. But the question here is
> should the TLS protocol support strong protection for them. As
> the proposal appears to have no negative effect on the rest of
> TLS, I don't see a reason for opposing the password proposal.
I think that including password authentication does weaken
TLS. Every time someones password is stolen and used to
impersonate someone using TLS, it will weaken the public
perception of the standard. I realize that this is not a
technical concern, but it is a real one.
--Jeff
--
Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation
jsw@netscape.com - http://home.netscape.com/people/jsw
Any opinions expressed above are mine.
References: