W3C home > Mailing lists > Public > www-tag@w3.org > October 2008

Re: Passwords in the clear update

From: <noah_mendelsohn@us.ibm.com>
Date: Tue, 7 Oct 2008 13:50:57 -0400
To: Jonathan Rees <jar@creativecommons.org>
Cc: David Orchard <orchard@pacificspirit.com>, "www-tag@w3.org" <www-tag@w3.org>
Message-ID: <OFB22C97D1.483A726A-ON852574DB.00617432-852574DB.0061CC63@lotus.com>

Jonathan Rees suggests:

> "Good practice: Clear text passwords are a serious security risk. 
> Transmit passwords in the clear only in applications that do not 
> require any assurance of security."

I'm sympathetic to your attempt to come up with something, but I think 
this misses an important nuance that is mentioned in the draft minutes of 
our meetings.  As I understand it, one concern is with the risk that 
novices will use the same password for multiple applications.  So, you 
deploy the "birthday party registration application" for your child, and 
decide that pwds in the clear are just fine for that.  Unbeknownst to you, 
those registering for the birthday party use the same password as for 
their bank account.  Nefarious network sniffers pick up the pwd from the 
birthday login, and use it to empty the bank account.

I believe we were told by the security "experts" that this sort of thing 
was an important concern for them, and one of the reasons they wanted to 
prohibit pwds in the clear entirely.  Perhaps:

"Good practice: Clear text passwords are a serious security risk. Transmit 
passwords in the clear only in applications that do not 
require any assurance of security, and when users are aware of the risks."

Noah

--------------------------------------
Noah Mendelsohn 
IBM Corporation
One Rogers Street
Cambridge, MA 02142
1-617-693-4036
--------------------------------------
Received on Tuesday, 7 October 2008 17:50:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:07 GMT