FW: Draft W3C TAG Finding "Passwords in the Clear" available for review from David Orchard on 2008-02-14 (www-tag@w3.org from February 2008)

From: David Orchard <dorchard@bea.com>
Date: Thu, 14 Feb 2008 10:48:30 -0800
To: <www-tag@w3.org>
Message-ID: <BEBB9CBE66B372469E93FFDE3EDC493E01672100@repbex01.amer.bea.com>
 

-----Original Message-----
From: Amir Herzberg [mailto:amir.herzberg@gmail.com] 
Sent: Thursday, February 14, 2008 7:29 AM
To: Rice, Ed (ProCurve)
Cc: Chris Drake; David Orchard; public-usable-authentication@w3.org
Subject: Re: Draft W3C TAG Finding "Passwords in the Clear" available
for review

First, my apologies at giving comments at this late phase, I wanted to
help with this work (and was even invited to...), but my research
interests dragged me  to some other areas... (even more interesting...).
Anyway, here's my 2 cents.

Second, I want to say that the draft is nice, clear and concise.

Third, on the password protection issue... Indeed, it would be advisable
that the draft explicitly warn against relying on digest authentication,
due to dictionary attacks. Furthermore, you may want to point out that
this is desirable even for sites which are not very sensitive, since
users often reuse passwords. For same reason, you should recommend not
to use passpwords-in-clear even in `insensitive` sites (better not ask
pw at all).

Finally, I think you should also warn about incorrect use of SSL/TLS,
specifically the incorrect method, still applied (at least by default)
in several major sites, of sending unprotected login forms, and invoking
SSL/TLS only upon submission, to encrypt the password - as I've pointed
out years ago, and is now agreed essentially universally (e.g. by FSTC
recommendation), this is insecure, since an attacker could send a
look-alike page which will NOT encrypt the password.

Best regards, Amir Herzberg

On Thu, Feb 14, 2008 at 4:17 PM, Rice, Ed (ProCurve) <ed.rice@hp.com>
wrote:
>
>  Dave,
>
>  I (Still) agree with Chris.  Sending passwords in clear text is wrong
it doesn't really matter how complex the  password is.
>
>  -Ed
>
>
>  -----Original Message-----
>  From: Chris Drake [mailto:christopher@pobox.com]
>  Sent: Wednesday, February 13, 2008 11:21 PM
>  To: David Orchard
>  Cc: public-usable-authentication@w3.org; Rice, Ed (ProCurve)
>  Subject: Re: Draft W3C TAG Finding "Passwords in the Clear" available

> for review
>
>  Hi David,
>
>  Thanks for the "review solicitation" on:-
>  http://www.w3.org/2001/tag/doc/passwordsInTheClear-52
>
>  In general - that entire document is horribly misleading.  You are  
> advocating that password exchange over non-encrypted mediums is  
> acceptable (albeit after obscuring the password itself).
>
>  This is never acceptable, because - in the absence of suitable  
> session-key protection, there is no way you can obscure a plaintext  
> password safely.
>
>  The "passwords" you propose to protect are short alphanumeric ascii  
> tokens, usually based on human-recognizable things like words.  The  
> "keyspace" of these make it trivial on modern PCs to test every  
> possible combination against whatever hash or obscuring method you  
> choose, in a very short time.  Using either Rainbow tables, or google,

> cracking hashed passwords more often than not takes only a few seconds

> nowdays.
>
>  
> http://www.lightbluetouchpaper.org/2007/11/16/google-as-a-password-cra
> cker/
>
>  Given that obscuring/hashing passwords makes people erroneously  
> believe they are now secure - it could well be making things worse by

> doing this, rather than by sending via plain text:  at least when  
> they were in plaintext, every uneducated person who could observe them

> passing by was able to understand it's not secure.  Hashing merely  
> serves to deceive the people building and operating the insecure  
> system, all while handing hackers and crackers free access to the  
> original plaintext passwords.
>
>  If any recommendation should be included at all - it should be this:-
>
>   Always use SSL or some equivalent security - there is no provision
>   in web browsers that allows passwords to be exchanged securely
>   without SSL.  Not even hashing.
>
>  Kind Regards,
>  Chris Drake
>
>
>  Thursday, February 14, 2008, 11:48:12 AM, you wrote:
>
>  DO> Dear Web Security Context WG,
>  DO>
>  DO> On behalf of the W3C TAG, I would like to solicit your review  
> DO> of the Draft TAG finding "Passwords in the Clear" [1].  Comments  
> DO> on this draft should be posted to www-tag@w3.org and are  DO> 
> appreciated.  We do not have a firm deadline but I'd like to  DO> 
> suggest March 7th 2008 as a rough timeframe for comments.
>  DO>
>  DO> Cheers,
>  DO> Dave Orchard
>
>  DO>
>  DO> [1] http://www.w3.org/2001/tag/doc/passwordsInTheClear-52
>  DO>
>
>
>
>
>
>
>
>
>



--
Amir Herzberg
Associate Professor, Dept. of Computer Science Bar Ilan University
http://AmirHerzberg.com
LinkedIn: http://www.linkedin.com//in/amirherzberg
Received on Thursday, 14 February 2008 18:48:51 UTC