W3C home > Mailing lists > Public > www-tag@w3.org > April 2008

RE: Summary of Responses to Passwords in the Clear from Web SCWorking Group

From: David Orchard <dorchard@bea.com>
Date: Wed, 9 Apr 2008 15:54:03 -0700
Message-ID: <BEBB9CBE66B372469E93FFDE3EDC493E01A4FF65@repbex01.amer.bea.com>
To: "Dan Connolly" <connolly@w3.org>
Cc: <www-tag@w3.org>

The bulk of Chris Drake's message:

The "passwords" you propose to protect are short alphanumeric ascii
tokens, usually based on human-recognizable things like words.  The
"keyspace" of these make it trivial on modern PCs to test every
possible combination against whatever hash or obscuring method you
choose, in a very short time.  Using either Rainbow tables, or google,
cracking hashed passwords more often than not takes only a few seconds
nowdays.

http://www.lightbluetouchpaper.org/2007/11/16/google-as-a-password-crack
er/

Given that obscuring/hashing passwords makes people erroneously
believe they are now secure - it could well be making things worse by
doing this, rather than by sending via plain text:  at least when
they were in plaintext, every uneducated person who could observe them
passing by was able to understand it's not secure.  Hashing merely
serves to deceive the people building and operating the insecure
system, all while handing hackers and crackers free access to the
original plaintext passwords.

Cheers,
Dave 

> -----Original Message-----
> From: Dan Connolly [mailto:connolly@w3.org] 
> Sent: Wednesday, April 09, 2008 3:26 PM
> To: David Orchard
> Cc: www-tag@w3.org
> Subject: Re: Summary of Responses to Passwords in the Clear 
> from Web SCWorking Group
> 
> 
> On Wed, 2008-04-09 at 15:03 -0700, David Orchard wrote:
> [...]
> >  2) Digest is not acceptable.  
> 
> ?!
> 
> Really? That's a disappointing conclusion.
> 
> If I'm following the argument, it's because the server 
> doesn't authenticate to the client in the digest protocol. Hmm.
> I suppose that's a good argument. :-/
> 
> 
> 
> --
> Dan Connolly, W3C http://www.w3.org/People/Connolly/
> gpg D3C2 887B 0F92 6005 C541  0875 0F91 96DE 6E52 C29E
> 
> 
Received on Wednesday, 9 April 2008 22:55:23 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:47:55 GMT