W3C home > Mailing lists > Public > www-tag@w3.org > November 2006

RE: New draft TAG finding - Passwords in the Clear

From: Marc de Graauw <marc@marcdegraauw.com>
Date: Thu, 2 Nov 2006 10:46:20 +0100
To: <www-tag@w3.org>
Message-ID: <007a01c6fe63$c28596b0$fd00a8c0@MARCNOTE>

Elliotte Harold:

| > 1) Passwords MUST NOT be transmitted in clear test.
| 
| This restriction strikes me as a little strong, though perhaps 
| advisable. I have in the past frequently used HTTP Basic auth over 
| regular sockets (not SSL) for low security needs. For instance, I've 
| sometimes sent the same user name and password to multiple 
| reviewers for 
| a draft article. Mostly I'm just trying to keep Google's 
| search bot out 
| of it, and it doesn't bother me a great deal if someone not in my 
| approved list sees it.

I had the same feeling reading this. I use HTTP Basic auth to keep spambots
out of a semi-public wiki (I know others do this too), and don't feel
bothered by clear-text passwords in this particular case.

Marc
Received on Thursday, 2 November 2006 09:47:09 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:47:42 GMT