W3C home > Mailing lists > Public > www-tag@w3.org > May 2008

Re: Updated passwordsInTheClear-52

From: ashok malhotra <ashok.malhotra@ORACLE.COM>
Date: Fri, 02 May 2008 07:36:04 -0700
Message-ID: <481B26D4.2030503@oracle.com>
To: noah_mendelsohn@us.ibm.com
CC: David Orchard <orchard@pacificspirit.com>, www-tag@w3.org

I agree that the prose could be improved but that can come later.

noah_mendelsohn@us.ibm.com wrote:
> Dave:  I took an action yesterday to review specifically your edits 
> dealing with digest authentication.  I'm glad to see that you followed up 
> on the suggestion that digest may be acceptable when suitably strong 
> passwords are chosen.  The quibble I have is that you specifically suggest 
> that only short alphanumeric strings can be cracked, and you imply that 
> longer alphanumeric strings are the answer.  I think both of those are 
> questionnable calls at best, and unnecessary to the essence of the point. 
> So, I suggest the following edits to your original:
> <original>
> The Digest method is subject to dictionary attacks when passwords are 
> short common alphanumeric strings. An attacker can easily compute the 
> digest for a large set of such common passwords then compare against the 
> transmitted message. This can be mitigated by the use of significantly 
> longer strings, but this is very rare practice on the web. The Digest 
> method is subject to man in the middle attacks because an intermediary can 
> degrade the quality of service to basic authentication. 
> </original>
> <suggested>
> The Digest method is subject to dictionary attacks, and must not be used 
> except in circumstances where passwords are known to be of sufficient 
> length and complexity to thwart such attacks.  The sophistication and 
> power of dictionary-based exploits continues to increase;  where before 
> such attacks targeted only short passwords using common terms, modern 
> approaches can be effective in "cracking" certain longer or more complex 
> passwords as well.   Great care must therefore be taken if digest 
> authentication is to be used, and it should be noted that few systems in 
> common use on the Web today ensure the use of sufficiently strong 
> passwords.  The Digest method is >also< subject to man in the middle 
> attacks because an intermediary can degrade the quality of service to be 
>> no better than that of< basic authentication. 
> </suggested>
> I'm short on time at the moment, and I suspect that a bit of editorial 
> work would result in somewhat more appealing prose, but I think the 
> essence of the changes is important.  Anyway, I believe this discharges my 
> action, and I will go into tracker and close it.  Thank you.
> Noah
> --------------------------------------
> Noah Mendelsohn 
> IBM Corporation
> One Rogers Street
> Cambridge, MA 02142
> 1-617-693-4036
> --------------------------------------
> "David Orchard" <orchard@pacificspirit.com>
> Sent by: www-tag-request@w3.org
> 05/02/2008 09:19 AM
>         To:     www-tag@w3.org
>         cc:     (bcc: Noah Mendelsohn/Cambridge/IBM)
>         Subject:        Updated passwordsInTheClear-52
> Changes:
> Added comments about digest authentication and use of strong passwords.
> Previous changes
> Updated abstract.
> Changed SHOULD NOT send passwords in the clear to MUST NOT and related 
> text
> Added information on Digest Authentication vulnerabilities and warning
> Added SSL/TLS configuration warning.
> http://www.w3.org/2001/tag/doc/passwordsInTheClear-52
> http://www.w3.org/2001/tag/doc/passwordsInTheClear-52-20080501.html 
> Cheers,
> Dave

All the best, Ashok
Received on Friday, 2 May 2008 14:39:11 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:32:56 UTC