W3C home > Mailing lists > Public > public-identity@w3.org > June 2011

Re: [saag] [websec] Fwd: [http-auth] re-call for IETF http-auth BoF

From: Yutaka OIWA <y.oiwa@aist.go.jp>
Date: Thu, 23 Jun 2011 11:36:09 +0900
Message-ID: <BANLkTimChRk2mpKLTQ9Cg+6QKy0eaxcwpg@mail.gmail.com>
To: gogwim@unijos.edu.ng
Cc: "SHIMIZU, Kazuki" <kazubu.lepidum@gmail.com>, "public-identity@w3.org" <public-identity@w3.org>, "http-auth@ietf.org" <http-auth@ietf.org>, "websec@ietf.org" <websec@ietf.org>, "saag@ietf.org" <saag@ietf.org>
2011/6/23 GOGWIM, JOEL GODWIN <gogwim@unijos.edu.ng>:
> Supported.
> Weak and predictable passwords should be avoided.

I ideally agree, but in reality I hesitate to agree with it
with technical means and backgrounds. In short, here is a security trade-off.

Of course, the statement "weak and predictable passwords should be avoided",
as literally, can be read as our requirements to users and agreed with
no questions.
However, the original thread was prepended with "Any protocols that allow".
For this purpose, the more the technology gets strong to protect "good
(unpredictable)"
passwords and passphrases against possible attacks, the more such a protocol
cannot reveal "weakness" of passwords to servers too.

To detect by the server side to detect predictable passwords using
bulky (e.g. 100k or 1M+) list, currently we need either a plain-text password
authentication protocol or a plain-text password registration procedure.
On the contrary, if we forgive users' "mistake" to use such a weak passwords
as user's own, we can introduce much stronger password
protocols which do not reveal (at least immediately) the user's password
both in registration and authentication time.
When we face with this trade-off, I don't want to trash out the
latter's possibility.

In this background, "forbidding protocols which allow users to (covertly) use
weak predictable passwords" means that "servers *always* know the user's
plain-text password", which is obviously not happy.
We don't want to completely sacrifice well-done user's security in trade with
the careless user's security.

Of course, even if we introduce such "secure" password registration protocol,
I foresee that some people will continue to stick on plain-text password
registration for various reasons.  For example, if a law had required
some servers
(e.g. financial entities) to check and reject such predictable passwords,
we would have no way to secure it.  For such purposes servers will
continue to receive raw passwords and computes password-hashes
(or whatever equivalent) on the server-side.
But I think that providing a possibility to securely registering passwords
to servers are one of required things to do for us.

But, again at last, I repeat to agree that "users" should avoid weak and
predictable passwords with no questions.
Received on Thursday, 23 June 2011 02:36:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 23 June 2011 02:36:46 GMT