W3C home > Mailing lists > Public > www-tag@w3.org > October 2008

Re: Passwords in the clear update

From: Ray Denenberg, Library of Congress <rden@loc.gov>
Date: Thu, 9 Oct 2008 11:54:14 -0400
Message-ID: <008e01c92a27$487a5e40$2caf938c@lib.loc.gov>
To: <elharo@metalab.unc.edu>, <noah_mendelsohn@us.ibm.com>
Cc: "Jonathan Rees" <jar@creativecommons.org>, "David Orchard" <orchard@pacificspirit.com>, <www-tag@w3.org>

From: "Elliotte Harold" <elharo@metalab.unc.edu>
>  I now think
> the only reasonable answer is that clear text passwords are never
> acceptable. Full stop. Any suggestion that they might be acceptable in
> some circumstances is irresponsible. We need to bite the bullet and
> accept that.

I haven't been a part of this discussion, but I have to weigh in: I just
think this is simply not true and to assert that it is seems misleading.
Clearly, *clearly*, there are cases where you have to send a password in the
clear and there isn't any way around it. The example that comes to mind is
when the service tells you what password to use, and everyone uses that
password.  The password might be "password". (The service doesn't care that
everyone in the world can access it, but it is configured to require a
password.)  The argument that, well, you (the client) might then use that
same password for some other application (where *you* have to coin the
password, rather than use one that the service tells you to use), does that
really make sense in this case?

--Ray
Received on Thursday, 9 October 2008 16:10:22 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:07 GMT