Re: Passwords in the clear update from noah_mendelsohn@us.ibm.com on 2008-10-10 (www-tag@w3.org from October 2008)

From: <noah_mendelsohn@us.ibm.com>
Date: Fri, 10 Oct 2008 16:18:27 -0400
To: John Kemp <john.kemp@nokia.com>
Cc: elharo@metalab.unc.edu, Jonathan Rees <jar@creativecommons.org>, ext David Orchard <orchard@pacificspirit.com>, "Ray Denenberg, Library of Congress" <rden@loc.gov>, www-tag@w3.org
Message-ID: <OFFEF6B726.B83B9497-ON852574DE.006EFCE8-852574DE.006F93AF@lotus.com>

I think I agree with Dave Orchard here.  MUST NOT is pretty strong.  Let's 
say I put up a Web site for my family, an  example I've used before.  I 
want some barriers to casual access by others, but I really don't care 
that much whether anyone breaks in to see the photos of my kids' birthday 
party.  Being a smart guy and having read the strong warnings following 
the SHOULD NOT in the finding, I don't give users the option to choose 
their own passwords, but use a system that assigns one to each user.  I 
make sure they're strong enough for my purposes (not necessarily very 
strong in this case), but more to the point I've significantly reduced the 
chance that it will be the same password a member of my family uses for 
any other system.  Just to be sure, in the email giving each user his/her 
password, I even warn them not to use the same password for any important 
systems.  Seems fine to me.  What's broken.  So, SHOULD NOT.  MUST NOT 
should be reserved for things that are always a mistake, and I don't think 
this is.

By the way, this reminds me of another hole.  How many systems carefully 
use https for login, but send passwords around using insecure email.  How 
many users store copies of those emails in unencrypted files.  Yes, much 
of this is bad practice, and perhaps it should be called out as such in 
the finding.  Still, it somewhat oversimplifies the discussion to focus a 
strong MUST NOT on the exchange of passwords using HTTP, while not saying 
anything at all about other common situations in which the same passwords 
are transmitted or stored "in the clear".

Noah 

--------------------------------------
Noah Mendelsohn 
IBM Corporation
One Rogers Street
Cambridge, MA 02142
1-617-693-4036
--------------------------------------

John Kemp <john.kemp@nokia.com>
10/10/2008 10:39 AM

        To:     ext David Orchard <orchard@pacificspirit.com>
        cc:     elharo@metalab.unc.edu, "Ray Denenberg, Library of 
Congress" <rden@loc.gov>, noah_mendelsohn@us.ibm.com, Jonathan Rees 
<jar@creativecommons.org>, www-tag@w3.org
        Subject:        Re: Passwords in the clear update

ext David Orchard wrote:
> The question is about how "harsh" the stick should be.  Saying "MUST 
> NOT" when people very occasionally have legitimate reasons devalues the 
> finding and the advice.

What are these legitimate reasons? Or perhaps put another way, what do 
we consider a "password" to be, if not a *secret* best shared only 
between exactly two parties and used to authenticate one party to the 
other?

>  I think we have to be beat the point about the 
> dangers and encourage people to not use them. 
> 
> I think the finding currently reflects the very best that we are going 
> to get in terms of such a stance, and that is the least objectionable to 

> the most number of people.

Perhaps. But if we wave our hands in the air, will anyone hear us?

As you say in your introduction:

"Security on the World Wide Web is an important issue which needs to be 
addressed, or mistrust of the Web will limit its growth potential."

Password-based authentication is, for better or worse, an important part 
of security on the World Wide Web.

Cheers,

- johnk

> 
> Cheers,
> Dave
> 
> On Fri, Oct 10, 2008 at 6:23 AM, John Kemp <john.kemp@nokia.com 
> <mailto:john.kemp@nokia.com>> wrote:
> 
> 
>     ext Elliotte Harold wrote:
> 
>         Ray Denenberg, Library of Congress wrote:
> 
>             A blanket admonishment: "do not ever, under any
>             circumstance, use passwords
>             in the clear", is fairly useless, most everyone will ignore
>             it. People are
>             not going to stop. Better to educate people on the dangers.
> 
> 
>         Give that blanket admonishment, and then explain the reasons
>         behind it; but don't compromise the good advice because you
>         think it may not be followed by all people in all circumstances.
> 
> 
>     I wholeheartedly agree. What is the sense in continuing to
>     implicitly condone these practices? Who would care?
> 
>     It is not that people will necessarily stop using passwords in the
>     clear, but shouldn't we have a metaphorical stick to beat them with?
> 
>     - johnk
> 
>

Received on Friday, 10 October 2008 20:19:14 UTC