Re: Securing Password Inputs from Jason H on 2012-08-31 (public-html-comments@w3.org from August 2012)

From: Jason H <scorp1us@yahoo.com>
Date: Fri, 31 Aug 2012 06:46:52 -0700 (PDT)
To: Arthur Clifford <art@artspad.net>, "public-html-comments@w3.org" <public-html-comments@w3.org>
Message-ID: <1346420812.67450.YahooMailNeo@web120703.mail.ne1.yahoo.com>

I'm trying to accomplish this with as little work on the server side as possible. If we could get proper salting working on the server side as it *should* be, a substantial number of the reasons for this method would be eliminated.

The server still can, and I hope it does, however the goal here is to move it client side and get the server out of it.

Well, we know the method of public key cryptography, it does not make it less numerically secure.  Yes, I am resetting the timer on when they can get it figured out. Right now that time is 0 seconds to oh, say a day. Meanwhile it can take companies several weeks to find, research and announce the breach. That timer moves to a decade in the very least, probably more like 50 years. In a decade, I expect services to crumble (i.e. facebook replaced with something), password policy to require a password change at least once a decade, so no password discovered is still valid by the time it is found.

In addition, with buy-in from browsers it stops phishing. All login pages should be pushed to HTML5, and use this proposed feature, then any page not in compliance is considered insecure, just like self-signed certs are considered insecure now by browsers.





________________________________
 From: Arthur Clifford <art@artspad.net>
To: public-html-comments@w3.org 
Sent: Thursday, August 30, 2012 7:19 PM
Subject: Re: Securing Password Inputs
 

Why not request the salt from the server?
The server could choose whether to always use the same salt or to have rotating salts etc. 
The problem with specifying how to encrypt things in a public specification is that everybody knows how it is done, and therefore all you are doing is resetting the timer for hackers to figure things out. There should be something provided by servers that the server knows and trusts.


-Art C


On Aug 30, 2012, at 11:21 AM, Jason H wrote:

Would it appease you if it were suggested that the standard be, that if no SALT attribute is supplied on the INPUT field (zero length or not present), the domain name of the ACTION attribute is used. In this way, you can accomplish those consolidations and divestments between domains?

Received on Friday, 31 August 2012 13:47:22 UTC