W3C home > Mailing lists > Public > www-tag@w3.org > May 2008

RE: Updated passwordsInTheClear-52

From: Williams, Stuart (HP Labs, Bristol) <skw@hp.com>
Date: Thu, 8 May 2008 16:20:49 +0000
To: David Orchard <dorchard@bea.com>, "noah_mendelsohn@us.ibm.com" <noah_mendelsohn@us.ibm.com>, David Orchard <orchard@pacificspirit.com>
CC: "www-tag@w3.org" <www-tag@w3.org>
Message-ID: <9674EA156DA93A4F855379AABDA4A5C611CEACA13A@G5W0277.americas.hpqcorp.net>

This may go against the grain, but I'm wondering whether we can avoid the 'informational' "must not" (as opposed the the imperative "MUST NOT"s) which reflect a level of value judgement. I think maybe writing in a plain factual style would be better (and not lead to questions about whether that's a 'must not' or a 'MUST NOT').

eg rewrite:

> The Digest method is subject to dictionary attacks, and must not be used
> except in circumstances where passwords are known to be of sufficient
> length and complexity to thwart such attacks.

as:

  The Digest method is subject to dictionary attacks, and is vulnerable
  in circumstances where passwords are known to be of insufficient
  length and complexity to thwart such attacks.

Regards

Stuart
--
Hewlett-Packard Limited registered Office: Cain Road, Bracknell, Berks RG12 1HN
Registered No: 690597 England

> -----Original Message-----
> From: www-tag-request@w3.org [mailto:www-tag-request@w3.org]
> On Behalf Of David Orchard
> Sent: 08 May 2008 16:52
> To: noah_mendelsohn@us.ibm.com; David Orchard
> Cc: www-tag@w3.org
> Subject: RE: Updated passwordsInTheClear-52
>
>
> I like your edits for the most part.  I just replaced the existing
> versions, latest link at
> http://www.w3.org/2001/tag/doc/passwordsInTheClear-52
>
> I tweaked the wording somewhat to
>
> The Digest method is subject to dictionary attacks, and must not be used
> except in circumstances where passwords are known to be of sufficient
> length and complexity to thwart such attacks.  The sophistication and
> power of dictionary-based attacks continues to increase such that longer
> and complex passwords are vulnerable to attacks, not just short
> passwords using common terms.  Great care must therefore be taken using
> digest authentication, and it should be noted that few systems on the
> Web today require sufficiently strong passwords.  The Digest method is
> also subject to man in the middle attacks because an intermediary can
> degrade the quality of service to basic authentication.
>
> Cheers,
> Dave
>
> > -----Original Message-----
> > From: www-tag-request@w3.org [mailto:www-tag-request@w3.org]
> > On Behalf Of noah_mendelsohn@us.ibm.com
> > Sent: Friday, May 02, 2008 3:17 PM
> > To: David Orchard
> > Cc: www-tag@w3.org
> > Subject: Re: Updated passwordsInTheClear-52
> >
> >
> > Dave:  I took an action yesterday to review specifically your
> > edits dealing with digest authentication.  I'm glad to see
> > that you followed up on the suggestion that digest may be
> > acceptable when suitably strong passwords are chosen.  The
> > quibble I have is that you specifically suggest that only
> > short alphanumeric strings can be cracked, and you imply that
> > longer alphanumeric strings are the answer.  I think both of
> > those are questionnable calls at best, and unnecessary to the
> > essence of the point.
> > So, I suggest the following edits to your original:
> >
> > <original>
> > The Digest method is subject to dictionary attacks when
> > passwords are short common alphanumeric strings. An attacker
> > can easily compute the digest for a large set of such common
> > passwords then compare against the transmitted message. This
> > can be mitigated by the use of significantly longer strings,
> > but this is very rare practice on the web. The Digest method
> > is subject to man in the middle attacks because an
> > intermediary can degrade the quality of service to basic
> > authentication.
> > </original>
> >
> > <suggested>
> > The Digest method is subject to dictionary attacks, and must
> > not be used except in circumstances where passwords are known
> > to be of sufficient length and complexity to thwart such
> > attacks.  The sophistication and power of dictionary-based
> > exploits continues to increase;  where before such attacks
> > targeted only short passwords using common terms, modern
> > approaches can be effective in "cracking" certain longer or
> > more complex
> > passwords as well.   Great care must therefore be taken if digest
> > authentication is to be used, and it should be noted that few
> > systems in common use on the Web today ensure the use of
> > sufficiently strong passwords.  The Digest method is >also<
> > subject to man in the middle attacks because an intermediary
> > can degrade the quality of service to be
> > >no better than that of< basic authentication.
> > </suggested>
> >
> > I'm short on time at the moment, and I suspect that a bit of
> > editorial work would result in somewhat more appealing prose,
> > but I think the essence of the changes is important.  Anyway,
> > I believe this discharges my action, and I will go into
> > tracker and close it.  Thank you.
> >
> > Noah
> >
> > --------------------------------------
> > Noah Mendelsohn
> > IBM Corporation
> > One Rogers Street
> > Cambridge, MA 02142
> > 1-617-693-4036
> > --------------------------------------
> >
> >
> >
> >
> >
> >
> >
> >
> > "David Orchard" <orchard@pacificspirit.com>
> > Sent by: www-tag-request@w3.org
> > 05/02/2008 09:19 AM
> >
> >         To:     www-tag@w3.org
> >         cc:     (bcc: Noah Mendelsohn/Cambridge/IBM)
> >         Subject:        Updated passwordsInTheClear-52
> >
> >
> > Changes:
> >
> > Added comments about digest authentication and use of strong
> > passwords.
> >
> > Previous changes
> >
> > Updated abstract.
> > Changed SHOULD NOT send passwords in the clear to MUST NOT
> > and related
> > text
> > Added information on Digest Authentication vulnerabilities
> and warning
> > Added SSL/TLS configuration warning.
> >
> > http://www.w3.org/2001/tag/doc/passwordsInTheClear-52
> > http://www.w3.org/2001/tag/doc/passwordsInTheClear-52-20080501.html
> >
> > Cheers,
> > Dave
> >
> >
> >
>
>
Received on Thursday, 8 May 2008 16:25:08 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:47:56 GMT