W3C home > Mailing lists > Public > www-tag@w3.org > May 2008

RE: Updated passwordsInTheClear-52

From: David Orchard <dorchard@bea.com>
Date: Thu, 8 May 2008 08:52:07 -0700
Message-ID: <BEBB9CBE66B372469E93FFDE3EDC493E01C3109C@repbex01.amer.bea.com>
To: <noah_mendelsohn@us.ibm.com>, "David Orchard" <orchard@pacificspirit.com>
Cc: <www-tag@w3.org>

I like your edits for the most part.  I just replaced the existing
versions, latest link at
http://www.w3.org/2001/tag/doc/passwordsInTheClear-52  

I tweaked the wording somewhat to

The Digest method is subject to dictionary attacks, and must not be used
except in circumstances where passwords are known to be of sufficient
length and complexity to thwart such attacks.  The sophistication and
power of dictionary-based attacks continues to increase such that longer
and complex passwords are vulnerable to attacks, not just short
passwords using common terms.  Great care must therefore be taken using
digest authentication, and it should be noted that few systems on the
Web today require sufficiently strong passwords.  The Digest method is
also subject to man in the middle attacks because an intermediary can
degrade the quality of service to basic authentication.

Cheers,
Dave

> -----Original Message-----
> From: www-tag-request@w3.org [mailto:www-tag-request@w3.org] 
> On Behalf Of noah_mendelsohn@us.ibm.com
> Sent: Friday, May 02, 2008 3:17 PM
> To: David Orchard
> Cc: www-tag@w3.org
> Subject: Re: Updated passwordsInTheClear-52
> 
> 
> Dave:  I took an action yesterday to review specifically your 
> edits dealing with digest authentication.  I'm glad to see 
> that you followed up on the suggestion that digest may be 
> acceptable when suitably strong passwords are chosen.  The 
> quibble I have is that you specifically suggest that only 
> short alphanumeric strings can be cracked, and you imply that 
> longer alphanumeric strings are the answer.  I think both of 
> those are questionnable calls at best, and unnecessary to the 
> essence of the point. 
> So, I suggest the following edits to your original:
> 
> <original>
> The Digest method is subject to dictionary attacks when 
> passwords are short common alphanumeric strings. An attacker 
> can easily compute the digest for a large set of such common 
> passwords then compare against the transmitted message. This 
> can be mitigated by the use of significantly longer strings, 
> but this is very rare practice on the web. The Digest method 
> is subject to man in the middle attacks because an 
> intermediary can degrade the quality of service to basic 
> authentication. 
> </original>
> 
> <suggested>
> The Digest method is subject to dictionary attacks, and must 
> not be used except in circumstances where passwords are known 
> to be of sufficient length and complexity to thwart such 
> attacks.  The sophistication and power of dictionary-based 
> exploits continues to increase;  where before such attacks 
> targeted only short passwords using common terms, modern 
> approaches can be effective in "cracking" certain longer or 
> more complex 
> passwords as well.   Great care must therefore be taken if digest 
> authentication is to be used, and it should be noted that few 
> systems in common use on the Web today ensure the use of 
> sufficiently strong passwords.  The Digest method is >also< 
> subject to man in the middle attacks because an intermediary 
> can degrade the quality of service to be 
> >no better than that of< basic authentication. 
> </suggested>
> 
> I'm short on time at the moment, and I suspect that a bit of 
> editorial work would result in somewhat more appealing prose, 
> but I think the essence of the changes is important.  Anyway, 
> I believe this discharges my action, and I will go into 
> tracker and close it.  Thank you.
> 
> Noah
> 
> --------------------------------------
> Noah Mendelsohn
> IBM Corporation
> One Rogers Street
> Cambridge, MA 02142
> 1-617-693-4036
> --------------------------------------
> 
> 
> 
> 
> 
> 
> 
> 
> "David Orchard" <orchard@pacificspirit.com>
> Sent by: www-tag-request@w3.org
> 05/02/2008 09:19 AM
>  
>         To:     www-tag@w3.org
>         cc:     (bcc: Noah Mendelsohn/Cambridge/IBM)
>         Subject:        Updated passwordsInTheClear-52
> 
> 
> Changes:
>  
> Added comments about digest authentication and use of strong 
> passwords.
>  
> Previous changes
>  
> Updated abstract.
> Changed SHOULD NOT send passwords in the clear to MUST NOT 
> and related 
> text
> Added information on Digest Authentication vulnerabilities and warning
> Added SSL/TLS configuration warning.
>  
> http://www.w3.org/2001/tag/doc/passwordsInTheClear-52
> http://www.w3.org/2001/tag/doc/passwordsInTheClear-52-20080501.html 
>  
> Cheers,
> Dave
> 
> 
> 
Received on Thursday, 8 May 2008 15:52:58 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:47:56 GMT