ext Ray Denenberg, Library of Congress wrote: > From: "Elliotte Harold" <elharo@metalab.unc.edu> >> I now think >> the only reasonable answer is that clear text passwords are never >> acceptable. Full stop. Any suggestion that they might be acceptable in >> some circumstances is irresponsible. We need to bite the bullet and >> accept that. > > I haven't been a part of this discussion, but I have to weigh in: I just > think this is simply not true and to assert that it is seems misleading. > Clearly, *clearly*, there are cases where you have to send a password in the > clear and there isn't any way around it. The example that comes to mind is > when the service tells you what password to use, and everyone uses that > password. The password might be "password". (The service doesn't care that > everyone in the world can access it, but it is configured to require a > password.) By a password, I think we are talking about some secret piece of information shared between one party and another, and intended to be kept secret between those two parties. If, by "password", we *do* mean some piece of information intended to remain secret, and intended to be shared between just two parties (not more) then I think it should be required (or recommended, should it not be possible to require it) that the shared secret is not sent, or (even better) stored, in cleartext. Of course, I do recognize that this is aspirational, and also that people may have a looser interpretation of the term "password" than I do. Regards, - johnkReceived on Thursday, 9 October 2008 16:53:56 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 9 October 2008 16:53:57 GMT