W3C home > Mailing lists > Public > www-tag@w3.org > October 2008

Re: Passwords in the clear update

From: John Kemp <john.kemp@nokia.com>
Date: Thu, 09 Oct 2008 12:27:57 -0400
Message-ID: <48EE310D.5030708@nokia.com>
To: "ext Ray Denenberg, Library of Congress" <rden@loc.gov>
CC: elharo@metalab.unc.edu, noah_mendelsohn@us.ibm.com, Jonathan Rees <jar@creativecommons.org>, David Orchard <orchard@pacificspirit.com>, www-tag@w3.org

ext Ray Denenberg, Library of Congress wrote:
> From: "Elliotte Harold" <elharo@metalab.unc.edu>
>>  I now think
>> the only reasonable answer is that clear text passwords are never
>> acceptable. Full stop. Any suggestion that they might be acceptable in
>> some circumstances is irresponsible. We need to bite the bullet and
>> accept that.
> 
> I haven't been a part of this discussion, but I have to weigh in: I just
> think this is simply not true and to assert that it is seems misleading.
> Clearly, *clearly*, there are cases where you have to send a password in the
> clear and there isn't any way around it. The example that comes to mind is
> when the service tells you what password to use, and everyone uses that
> password.  The password might be "password". (The service doesn't care that
> everyone in the world can access it, but it is configured to require a
> password.)

By a password, I think we are talking about some secret piece of 
information shared between one party and another, and intended to be 
kept secret between those two parties.

If, by "password", we *do* mean some piece of information intended to 
remain secret, and intended to be shared between just two parties (not 
more) then I think it should be required (or recommended, should it not 
be possible to require it) that the shared secret is not sent, or (even 
better) stored, in cleartext.

Of course, I do recognize that this is aspirational, and also that 
people may have a looser interpretation of the term "password" than I do.

Regards,

- johnk
Received on Thursday, 9 October 2008 16:53:56 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:07 GMT