W3C home > Mailing lists > Public > www-tag@w3.org > October 2008

Re: Passwords in the clear update

From: Elliotte Harold <elharo@metalab.unc.edu>
Date: Fri, 10 Oct 2008 04:27:00 -0700
Message-ID: <48EF3C04.6090307@metalab.unc.edu>
To: "Ray Denenberg, Library of Congress" <rden@loc.gov>
Cc: noah_mendelsohn@us.ibm.com, Jonathan Rees <jar@creativecommons.org>, David Orchard <orchard@pacificspirit.com>, www-tag@w3.org

Ray Denenberg, Library of Congress wrote:

> I haven't been a part of this discussion, but I have to weigh in: I just
> think this is simply not true and to assert that it is seems misleading.
> Clearly, *clearly*, there are cases where you have to send a password in the
> clear and there isn't any way around it. The example that comes to mind is
> when the service tells you what password to use, and everyone uses that
> password.  The password might be "password". (The service doesn't care that
> everyone in the world can access it, but it is configured to require a
> password.)  The argument that, well, you (the client) might then use that
> same password for some other application (where *you* have to coin the
> password, rather than use one that the service tells you to use), does that
> really make sense in this case?

The example that comes to mind is in the early days of the web when 
Comedy Central's website requried the login "sweetie" and the password 
"darling", a fact which they advertised in the clear on TV at every 
commercial break.

However as others have pointed out, this really isn't a password at all 
in anything but name.

Elliotte Rusty Harold  elharo@metalab.unc.edu
Refactoring HTML Just Published!
Received on Friday, 10 October 2008 11:27:39 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:32:59 UTC