W3C home > Mailing lists > Public > www-tag@w3.org > October 2008

Re: Passwords in the clear update

From: Elliotte Harold <elharo@metalab.unc.edu>
Date: Fri, 10 Oct 2008 04:27:00 -0700
Message-ID: <48EF3C04.6090307@metalab.unc.edu>
To: "Ray Denenberg, Library of Congress" <rden@loc.gov>
Cc: noah_mendelsohn@us.ibm.com, Jonathan Rees <jar@creativecommons.org>, David Orchard <orchard@pacificspirit.com>, www-tag@w3.org

Ray Denenberg, Library of Congress wrote:

> I haven't been a part of this discussion, but I have to weigh in: I just
> think this is simply not true and to assert that it is seems misleading.
> Clearly, *clearly*, there are cases where you have to send a password in the
> clear and there isn't any way around it. The example that comes to mind is
> when the service tells you what password to use, and everyone uses that
> password.  The password might be "password". (The service doesn't care that
> everyone in the world can access it, but it is configured to require a
> password.)  The argument that, well, you (the client) might then use that
> same password for some other application (where *you* have to coin the
> password, rather than use one that the service tells you to use), does that
> really make sense in this case?
>

The example that comes to mind is in the early days of the web when 
Comedy Central's website requried the login "sweetie" and the password 
"darling", a fact which they advertised in the clear on TV at every 
commercial break.

However as others have pointed out, this really isn't a password at all 
in anything but name.

-- 
Elliotte Rusty Harold  elharo@metalab.unc.edu
Refactoring HTML Just Published!
http://www.amazon.com/exec/obidos/ISBN=0321503635/ref=nosim/cafeaulaitA
Received on Friday, 10 October 2008 11:27:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:07 GMT