Re: Securing Password Inputs from Seth Call on 2012-08-31 (public-html-comments@w3.org from August 2012)

From: Seth Call <sethcall@gmail.com>
Date: Fri, 31 Aug 2012 10:02:08 -0500
To: Jason H <scorp1us@yahoo.com>
Cc: Cameron Jones <cmhjones@gmail.com>, Arthur Clifford <art@artspad.net>, "public-html-comments@w3.org" <public-html-comments@w3.org>
Message-ID: <CAKPrmVV6MmctZqX7qTagVaiFMxFzjRusKt_HQJ2o9n0+CYhu0A@mail.gmail.com>

There is no such thing as moving security to the browser, because it is a
client-side application.  If you disagree, OK,  go right ahead... but  this
is a server-side mindset and I'd assert you will never, ever win that
argument with security-minded folks.

If you want to make it easy to implement server-side code, then by all
means contribute to bcrypt (or other good password encryption technology),
or language/framework adoption of it.

But in the context of HTML5 and browsers, I can only recommend:

Make end users aware of the importance of passwords. This is the basis of
my suggestion, earlier in the thread, on making a standardized way to give
users feedback on the strength of their password.

On Fri, Aug 31, 2012 at 9:49 AM, Jason H <scorp1us@yahoo.com> wrote:

> They might be cagey, but they are completely absent in implementation in
> the storage routines of user credentials for most sites.
>
> Moving security to the browser is much easier because there are less
> browsers than applications.
>
>   ------------------------------
> *From:* Cameron Jones <cmhjones@gmail.com>
> **
> > The problem with specifying how to encrypt things in a public
> specification
> > is that everybody knows how it is done, and therefore all you are doing
> is
> > resetting the timer for hackers to figure things out. There should be
> > something provided by servers that the server knows and trusts.
>
> Exactly. There is a reason why security folks are cagey.
>
>
>

Received on Friday, 31 August 2012 15:02:51 UTC