W3C home > Mailing lists > Public > www-tag@w3.org > October 2008

Re: Passwords in the clear update

From: Elliotte Harold <elharo@metalab.unc.edu>
Date: Tue, 14 Oct 2008 06:34:17 -0700
Message-ID: <48F49FD9.6080901@metalab.unc.edu>
To: noah_mendelsohn@us.ibm.com
Cc: Jonathan Rees <jar@creativecommons.org>, John Kemp <john.kemp@nokia.com>, ext David Orchard <orchard@pacificspirit.com>, "Ray Denenberg, Library of Congress" <rden@loc.gov>, www-tag@w3.org

noah_mendelsohn@us.ibm.com wrote:
> It's probably time to wrap this up, since in some ways we're agreeing on 
> the pros and cons, and just not landing in the same place on whether the 
> circumstance justifies a MUST or a SHOULD.  That said, I've had a number 
> of cases where I've happily used weak passwords, not necessarily for 
> pictures of my kids, but for access to experimental Web sites or other 
> things of transient value where it would be a nuissance but not a disaster 
> if casual visitors showed up. 

If we do loosen this to a SHOULD, then we need to be clear about one 
thing we haven't been in the past: user-chosen passwords must not be 
sent in the clear for the reasons the security group elaborated. Only 
passwords chosen by the server, which the user cannot change, may be 
sent in the clear.

-- 
Elliotte Rusty Harold  elharo@metalab.unc.edu
Refactoring HTML Just Published!
http://www.amazon.com/exec/obidos/ISBN=0321503635/ref=nosim/cafeaulaitA
Received on Tuesday, 14 October 2008 13:34:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:07 GMT