W3C home > Mailing lists > Public > public-usable-authentication@w3.org > February 2008

RE: Draft W3C TAG Finding "Passwords in the Clear" available for review

From: David Orchard <dorchard@bea.com>
Date: Thu, 14 Feb 2008 10:48:10 -0800
Message-ID: <BEBB9CBE66B372469E93FFDE3EDC493E016720FD@repbex01.amer.bea.com>
To: "Chris Drake" <christopher@pobox.com>
Cc: <public-usable-authentication@w3.org>, <Ed.Rice@hp.com>

Hi Chris et al,

Thank you very much for the comments.  We'd like to have the review comments on the TAG document on www-tag@w3.org.  I will forward all the current message to www-tag, and then can we continue there please..

Thanks,
Dave 

> -----Original Message-----
> From: Chris Drake [mailto:christopher@pobox.com] 
> Sent: Wednesday, February 13, 2008 11:21 PM
> To: David Orchard
> Cc: public-usable-authentication@w3.org; Ed.Rice@hp.com
> Subject: Re: Draft W3C TAG Finding "Passwords in the Clear" 
> available for review
> 
> Hi David,
> 
> Thanks for the "review solicitation" on:-
> http://www.w3.org/2001/tag/doc/passwordsInTheClear-52
> 
> In general - that entire document is horribly misleading.  
> You are advocating that password exchange over non-encrypted 
> mediums is acceptable (albeit after obscuring the password itself).
> 
> This is never acceptable, because - in the absence of 
> suitable session-key protection, there is no way you can 
> obscure a plaintext password safely.
> 
> The "passwords" you propose to protect are short alphanumeric 
> ascii tokens, usually based on human-recognizable things like 
> words.  The "keyspace" of these make it trivial on modern PCs 
> to test every possible combination against whatever hash or 
> obscuring method you choose, in a very short time.  Using 
> either Rainbow tables, or google, cracking hashed passwords 
> more often than not takes only a few seconds nowdays.
> 
> http://www.lightbluetouchpaper.org/2007/11/16/google-as-a-pass
> word-cracker/
> 
> Given that obscuring/hashing passwords makes people 
> erroneously believe they are now secure - it could well be 
> making things worse by doing this, rather than by sending via 
> plain text:  at least when they were in plaintext, every 
> uneducated person who could observe them passing by was able 
> to understand it's not secure.  Hashing merely serves to 
> deceive the people building and operating the insecure 
> system, all while handing hackers and crackers free access to 
> the original plaintext passwords.
> 
> If any recommendation should be included at all - it should be this:-
> 
>   Always use SSL or some equivalent security - there is no provision
>   in web browsers that allows passwords to be exchanged securely
>   without SSL.  Not even hashing.
> 
> Kind Regards,
> Chris Drake
> 
> 
> Thursday, February 14, 2008, 11:48:12 AM, you wrote:
> 
> DO> Dear Web Security Context WG,
> DO>  
> DO> On behalf of the W3C TAG, I would like to solicit your 
> review of the 
> DO> Draft TAG finding "Passwords in the Clear" [1].  Comments on this 
> DO> draft should be posted to www-tag@w3.org and are 
> appreciated.  We do 
> DO> not have a firm deadline but I'd like to suggest March 
> 7th 2008 as a 
> DO> rough timeframe for comments.
> DO>  
> DO> Cheers,
> DO> Dave Orchard
> 
> DO>  
> DO> [1] http://www.w3.org/2001/tag/doc/passwordsInTheClear-52
> DO>  
> 
> 
> 
> 
> 
> 
Received on Thursday, 14 February 2008 18:51:15 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:34:15 GMT