W3C home > Mailing lists > Public > www-tag@w3.org > October 2008

Re: Passwords in the clear update

From: David Orchard <orchard@pacificspirit.com>
Date: Tue, 7 Oct 2008 21:11:26 -0700
Message-ID: <2d509b1b0810072111w75a85545vcc4a8314beea2184@mail.gmail.com>
To: "Jonathan Rees" <jar@creativecommons.org>
Cc: noah_mendelsohn@us.ibm.com, "www-tag@w3.org" <www-tag@w3.org>
I like where Jonathan is going on this, but I think that we aren't going to
come up with enough caveats/explanation that will satisfy those that want a
"MUST NOT transmit passwords in the clear".  We can try the explaining route
without the SHOULD NOT or MUST NOT..

My attempt:

"Good practice: Clear text passwords are a serious security risk. Transmit
passwords in the clear only in interactions that do not need to be secure
and do not lead to the new vulnerabilities in other interactions."

A vulnerability may be created with clear-text passwords if the same
password in the clear text interaction is re-used in in other interactions.
Users and administrators should take appropriate steps, such as warnings, to
mitigate such a vulnerability if clear text passwords are used.

Cheers,
Dave

On Tue, Oct 7, 2008 at 12:12 PM, Jonathan Rees <jar@creativecommons.org>wrote:

> Yes, I think this is an important point, and that's why I wrote (maybe you
> didn't see this):
>
> "remind developers / site administrators that users of passwords
> transmitted in this way must (MUST?) be told in no uncertain terms that such
> passwords should be treated as public knowledge and shouldn't be used to
> protect anything that matters."
>
> This could be amplified with explicit mention of the case where someone
> might be tempted to reuse, in an in-the-clear context, a password that
> *already* protects something that matters. Just don't do it.
>
> I looked for wording like this in the draft and didn't find it, and didn't
> see it in the IRC log, so I thought is possible that there was a reason we
> shied away from it.
>
> To talk about "the risks" and "being aware of the risks" is a bit coy, I
> think. It sounds like we're choosing not to tell readers what those risks
> are, that it's a puzzle for them (or there users) to figure out. Better to
> just say: It's not secure, don't let anyone think it is, do it only when
> security doesn't matter.
>
> Jonathan
>
>
> On Oct 7, 2008, at 1:50 PM, noah_mendelsohn@us.ibm.com wrote:
>
>  Jonathan Rees suggests:
>>
>>  "Good practice: Clear text passwords are a serious security risk.
>>> Transmit passwords in the clear only in applications that do not
>>> require any assurance of security."
>>>
>>
>> I'm sympathetic to your attempt to come up with something, but I think
>> this misses an important nuance that is mentioned in the draft minutes of
>> our meetings.  As I understand it, one concern is with the risk that
>> novices will use the same password for multiple applications.  So, you
>> deploy the "birthday party registration application" for your child, and
>> decide that pwds in the clear are just fine for that.  Unbeknownst to you,
>> those registering for the birthday party use the same password as for
>> their bank account.  Nefarious network sniffers pick up the pwd from the
>> birthday login, and use it to empty the bank account.
>>
>> I believe we were told by the security "experts" that this sort of thing
>> was an important concern for them, and one of the reasons they wanted to
>> prohibit pwds in the clear entirely.  Perhaps:
>>
>> "Good practice: Clear text passwords are a serious security risk. Transmit
>> passwords in the clear only in applications that do not
>> require any assurance of security, and when users are aware of the risks."
>>
>> Noah
>>
>> --------------------------------------
>> Noah Mendelsohn
>> IBM Corporation
>> One Rogers Street
>> Cambridge, MA 02142
>> 1-617-693-4036
>> --------------------------------------
>>
>
>
Received on Wednesday, 8 October 2008 04:12:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:07 GMT