FW: Draft W3C TAG Finding "Passwords in the Clear" available for review

 

________________________________

From: Hallam-Baker, Phillip [mailto:pbaker@verisign.com] 
Sent: Thursday, February 14, 2008 7:38 AM
To: David Orchard; public-usable-authentication@w3.org
Subject: RE: Draft W3C TAG Finding "Passwords in the Clear" available
for review


"There are some cases where it is acceptable to transmit passwords in
the clear. One example is that placing a password on a page can be used
as a simple way to stop web crawlers without really having to 'secure'
the content. Administrators using a clear text password need to be aware
that passwords used for this type of purpose SHOULD NOT re-use the same
password in contexts that are more sensitive."
 
 
I would phrase this as a 'not directly harmful' practice rather than an
'acceptable' one.
 
I do not like schemes that teach users to repurpose security channels.
It means that when we try to educate users about good practices we have
to include exclusions and caveats to deal with these corner cases.
 
The same effect can be achieved through a POST form, there is no value
to using a password field in this case and in fact it is an
encumberance.

________________________________

From: public-usable-authentication-request@w3.org
[mailto:public-usable-authentication-request@w3.org] On Behalf Of David
Orchard
Sent: Wednesday, February 13, 2008 8:48 PM
To: public-usable-authentication@w3.org
Subject: Draft W3C TAG Finding "Passwords in the Clear" available for
review


Dear Web Security Context WG,
 
On behalf of the W3C TAG, I would like to solicit your review of the
Draft TAG finding "Passwords in the Clear" [1].  Comments on this draft
should be posted to www-tag@w3.org and are appreciated.  We do not have
a firm deadline but I'd like to suggest March 7th 2008 as a rough
timeframe for comments.
 
Cheers,
Dave Orchard
 
[1] http://www.w3.org/2001/tag/doc/passwordsInTheClear-52