- From: Dave Kristol <dmk@research.bell-labs.com>
- Date: Thu, 20 Aug 1998 15:25:33 -0400 (EDT)
- To: http-wg@hplb.hpl.hp.com
If a server permits users to select their own passwords, then the threat
is not only illicit access to documents on the server but also illicit
access to the accounts of all users who have chosen to use their account
password. If users are allowed to choose their own password that also
means the server must maintain files containing the (presumably
encrypted) passwords. Many of these may be the account passwords of
users perhaps at distant sites. The owner or administrator of such a
system could conceivably incur liability if this information is not
maintained in a secure fashion.
This paragraph surprises me a little. It seems to me that if I choose
as a password some kind of account password, then the threat is only to
me and all the accounts that share the password. I don't see how this
allows "illicit access to the accounts of all users who have chosen to
use their account password." If an adversary grabs my password, how
does that open a risk to other users?
I think what was meant here is said better and more succinctly in
Section 4.4:
The greatest threat to the type of transactions for which these
protocols are used is network snooping. This kind of transaction
might involve, for example, online access to a database whose use
is restricted to paying subscribers. With Basic authentication an
eavesdropper can obtain the password of the user. This not only
permits him to access anything in the database, but, often worse,
will permit access to anything else the user protects with the
same password.
Dave Kristol
Received on Thursday, 20 August 1998 12:27:58 UTC