Re: Securing Password Inputs from Thomas A. Fine on 2012-09-04 (public-html-comments@w3.org from September 2012)

From: Thomas A. Fine <fine@head.cfa.harvard.edu>
Date: Tue, 04 Sep 2012 16:56:21 -0400
To: public-html-comments@w3.org
Message-ID: <50466AF5.609@head.cfa.harvard.edu>

On 9/4/12 9:31 AM, Jason H wrote:
> That's a pretty good summary, though I think it needs a few corrections.
> 1. My original proposal is just to hash passwords on the client side.
> The extended hashing on the server side is something that can be done
> later. The important bit here is that it is transparent to the server if
> it is prehashed or not. Either way the attacker has to defeat at least 2
> hashes. The proper solution is to still salt and hash what you got from
> the browser.

But it is pointless.  You still can't force the developer to do an extra 
round of hashing.  All you've accomplished is substituting one clear 
text password for a different clear text password.  If a hacker steals 
the stored password that was only hashed on the client, it is exactly as 
good as a stored password that was not hashed at all on the client.  If 
you are envisioning a future where all passwords are sent hashed and all 
browsers conform to this behaviour, this still does not prevent hackers 
from writing software that does not adhere to this standard so that they 
can use the hashed password directly.  You gain nothing at all.

> 4. This sucks and someone needs to do something about it. The browser
> people have been very pro-active and there are far fewer browser
> platforms (Opera, IE, Chrome(webkit), Safari(webkit), Firefox (gecko))
> than there are websites to screw this up. That's why I am advocating a
> client-side approach.

I agree that it sucks.  There are many technological solutions available 
but all of these things are only useful in the hands of developers that 
actually know (and care about) what they are doing.  Apple, Google, 
Facebook, and Twitter are all well-positioned for providing 
off-the-shelf third party authentication solutions, and to varying 
degrees they are all making moves in that direction.  The compelling 
motivation for customers is actually simplified logins rather than 
improved security, but the improved security will happen given the 
reputations of these big companies.  Personally, I have some privacy 
concerns there as these entities become increasingly "Big-Brother-ish". 
  But it's the most likely path out of the mess you're looking at.

        tom

Received on Tuesday, 4 September 2012 20:56:49 UTC