W3C home > Mailing lists > Public > www-tag@w3.org > October 2008

Re: Passwords in the clear update

From: Elliotte Harold <elharo@metalab.unc.edu>
Date: Fri, 10 Oct 2008 04:30:06 -0700
Message-ID: <48EF3CBE.8020607@metalab.unc.edu>
To: Pat Hayes <phayes@ihmc.us>
Cc: noah_mendelsohn@us.ibm.com, Jonathan Rees <jar@creativecommons.org>, David Orchard <orchard@pacificspirit.com>, "www-tag@w3.org" <www-tag@w3.org>

Pat Hayes wrote:

> 
> Cleartext passwords may be dangerous, but the certainly WORK. Do they 
> endanger anyone other than the owner of the password? If not, I suggest 
> that anything beyond giving a clear warning is inappropriate. If people 
> take risks when cognizant of them, as they undoubtedly will, then may 
> their gods go with them, but its not the Web's (or anyone else's) 
> responsibility to protect the entire planet from risky behavior.

There's a logical flaw here. This is not a case of people choosing to 
take risks. Rather it is an externality in which risks of cleartext 
passwords are imposed on clients by the servers they use. The benefits 
(ease of development, lower CPU cost) are garnered primarily by the 
server developer but the cost of lower security is borne by the client. 
In such circumstances, regulation is absolutely appropriate.

-- 
Elliotte Rusty Harold  elharo@metalab.unc.edu
Refactoring HTML Just Published!
http://www.amazon.com/exec/obidos/ISBN=0321503635/ref=nosim/cafeaulaitA
Received on Friday, 10 October 2008 11:30:42 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:07 GMT