Re: Passwords in the clear update from Pat Hayes on 2008-10-09 (www-tag@w3.org from October 2008)

From: Pat Hayes <phayes@ihmc.us>
Date: Thu, 9 Oct 2008 13:39:00 -0500
To: elharo@metalab.unc.edu
Cc: noah_mendelsohn@us.ibm.com, Jonathan Rees <jar@creativecommons.org>, David Orchard <orchard@pacificspirit.com>, "www-tag@w3.org" <www-tag@w3.org>
Message-Id: <84667359-B085-4BEC-BE45-03F7313097C9@ihmc.us>

On Oct 9, 2008, at 10:13 AM, Elliotte Harold wrote:

>
> noah_mendelsohn@us.ibm.com wrote:
>> Jonathan Rees suggests:
>>> "Good practice: Clear text passwords are a serious security risk.  
>>> Transmit passwords in the clear only in applications that do not  
>>> require any assurance of security."
>> I'm sympathetic to your attempt to come up with something, but I  
>> think this misses an important nuance that is mentioned in the  
>> draft minutes of our meetings.  As I understand it, one concern is  
>> with the risk that novices will use the same password for multiple  
>> applications.  So, you deploy the "birthday party registration  
>> application" for your child, and decide that pwds in the clear are  
>> just fine for that.  Unbeknownst to you, those registering for the  
>> birthday party use the same password as for their bank account.  
>> Nefarious network sniffers pick up the pwd from the birthday login,  
>> and use it to empty the bank account.
>
> Previously I thought cleartext passwords were sometimes OK along the  
> lines you suggest, but you've  now convinced me otherwise. I now  
> think the only reasonable answer is that clear text passwords are  
> never acceptable. Full stop. Any suggestion that they might be  
> acceptable in some circumstances is irresponsible. We need to bite  
> the bullet and accept that.
>
>> "Good practice: Clear text passwords are a serious security risk.  
>> Transmit passwords in the clear only in applications that do not  
>> require any assurance of security, and when users are aware of the  
>> risks."
>
> Don't we know by now that all users are never aware of the risks?  
> Let's stop trying to put lipstick on this pig. Cleartext passwords  
> don't work.  They are dangerous and we need to deprecate them.

Cleartext passwords may be dangerous, but the certainly WORK. Do they  
endanger anyone other than the owner of the password? If not, I  
suggest that anything beyond giving a clear warning is inappropriate.  
If people take risks when cognizant of them, as they undoubtedly will,  
then may their gods go with them, but its not the Web's (or anyone  
else's) responsibility to protect the entire planet from risky  
behavior. I myself live a risky life in this regard, and I am quite  
happy to accept the risks in return for the life-enhancing convenience  
of not having to remember 150 different passwords. I would take up  
arms to resist any world-wide imposition of a global safety belt that  
makes my life harder than it is, and to hell with your or anyone  
else's notions of Web safety.

As Bessie Smith said: if I should take a notion to walk into the  
ocean, 'tain't nobody's business if I do.

Pat Hayes

------------------------------------------------------------
IHMC                                     (850)434 8903 or (650)494 3973
40 South Alcaniz St.           (850)202 4416   office
Pensacola                            (850)202 4440   fax
FL 32502                              (850)291 0667   mobile
phayesAT-SIGNihmc.us       http://www.ihmc.us/users/phayes

Received on Thursday, 9 October 2008 18:39:58 UTC