RE: Draft W3C TAG Finding "Passwords in the Clear" available for review from Rice, Ed (ProCurve) on 2008-02-14 (public-usable-authentication@w3.org from February 2008)

From: Rice, Ed (ProCurve) <ed.rice@hp.com>
Date: Thu, 14 Feb 2008 14:17:33 +0000
To: Chris Drake <christopher@pobox.com>, David Orchard <dorchard@bea.com>
CC: "public-usable-authentication@w3.org" <public-usable-authentication@w3.org>
Message-ID: <E48777C739E4AB4ABD47E952D4C0B77236FF3F8AFE@G1W0491.americas.hpqcorp.net>

Dave,

I (Still) agree with Chris.  Sending passwords in clear text is wrong it doesn't really matter how complex the  password is.

-Ed


-----Original Message-----
From: Chris Drake [mailto:christopher@pobox.com]
Sent: Wednesday, February 13, 2008 11:21 PM
To: David Orchard
Cc: public-usable-authentication@w3.org; Rice, Ed (ProCurve)
Subject: Re: Draft W3C TAG Finding "Passwords in the Clear" available for review

Hi David,

Thanks for the "review solicitation" on:-
http://www.w3.org/2001/tag/doc/passwordsInTheClear-52

In general - that entire document is horribly misleading.  You are
advocating that password exchange over non-encrypted mediums is
acceptable (albeit after obscuring the password itself).

This is never acceptable, because - in the absence of suitable
session-key protection, there is no way you can obscure a plaintext
password safely.

The "passwords" you propose to protect are short alphanumeric ascii
tokens, usually based on human-recognizable things like words.  The
"keyspace" of these make it trivial on modern PCs to test every
possible combination against whatever hash or obscuring method you
choose, in a very short time.  Using either Rainbow tables, or google,
cracking hashed passwords more often than not takes only a few seconds
nowdays.

http://www.lightbluetouchpaper.org/2007/11/16/google-as-a-password-cracker/

Given that obscuring/hashing passwords makes people erroneously
believe they are now secure - it could well be making things worse by
doing this, rather than by sending via plain text:  at least when
they were in plaintext, every uneducated person who could observe them
passing by was able to understand it's not secure.  Hashing merely
serves to deceive the people building and operating the insecure
system, all while handing hackers and crackers free access to the
original plaintext passwords.

If any recommendation should be included at all - it should be this:-

  Always use SSL or some equivalent security - there is no provision
  in web browsers that allows passwords to be exchanged securely
  without SSL.  Not even hashing.

Kind Regards,
Chris Drake


Thursday, February 14, 2008, 11:48:12 AM, you wrote:

DO> Dear Web Security Context WG,
DO>
DO> On behalf of the W3C TAG, I would like to solicit your review
DO> of the Draft TAG finding "Passwords in the Clear" [1].  Comments
DO> on this draft should be posted to www-tag@w3.org and are
DO> appreciated.  We do not have a firm deadline but I'd like to
DO> suggest March 7th 2008 as a rough timeframe for comments.
DO>
DO> Cheers,
DO> Dave Orchard

DO>
DO> [1] http://www.w3.org/2001/tag/doc/passwordsInTheClear-52
DO>

Received on Thursday, 14 February 2008 14:19:40 UTC