- From: Yutaka OIWA <y.oiwa@aist.go.jp>
- Date: Thu, 23 Jun 2011 11:36:09 +0900
- To: gogwim@unijos.edu.ng
- Cc: "SHIMIZU, Kazuki" <kazubu.lepidum@gmail.com>, "public-identity@w3.org" <public-identity@w3.org>, "http-auth@ietf.org" <http-auth@ietf.org>, "websec@ietf.org" <websec@ietf.org>, "saag@ietf.org" <saag@ietf.org>
2011/6/23 GOGWIM, JOEL GODWIN <gogwim@unijos.edu.ng>: > Supported. > Weak and predictable passwords should be avoided. I ideally agree, but in reality I hesitate to agree with it with technical means and backgrounds. In short, here is a security trade-off. Of course, the statement "weak and predictable passwords should be avoided", as literally, can be read as our requirements to users and agreed with no questions. However, the original thread was prepended with "Any protocols that allow". For this purpose, the more the technology gets strong to protect "good (unpredictable)" passwords and passphrases against possible attacks, the more such a protocol cannot reveal "weakness" of passwords to servers too. To detect by the server side to detect predictable passwords using bulky (e.g. 100k or 1M+) list, currently we need either a plain-text password authentication protocol or a plain-text password registration procedure. On the contrary, if we forgive users' "mistake" to use such a weak passwords as user's own, we can introduce much stronger password protocols which do not reveal (at least immediately) the user's password both in registration and authentication time. When we face with this trade-off, I don't want to trash out the latter's possibility. In this background, "forbidding protocols which allow users to (covertly) use weak predictable passwords" means that "servers *always* know the user's plain-text password", which is obviously not happy. We don't want to completely sacrifice well-done user's security in trade with the careless user's security. Of course, even if we introduce such "secure" password registration protocol, I foresee that some people will continue to stick on plain-text password registration for various reasons. For example, if a law had required some servers (e.g. financial entities) to check and reject such predictable passwords, we would have no way to secure it. For such purposes servers will continue to receive raw passwords and computes password-hashes (or whatever equivalent) on the server-side. But I think that providing a possibility to securely registering passwords to servers are one of required things to do for us. But, again at last, I repeat to agree that "users" should avoid weak and predictable passwords with no questions.
Received on Thursday, 23 June 2011 02:36:45 UTC