- From: Hallam-Baker, Phillip <pbaker@verisign.com>
- Date: Thu, 14 Feb 2008 07:37:36 -0800
- To: "David Orchard" <dorchard@bea.com>, <public-usable-authentication@w3.org>
- Message-ID: <2788466ED3E31C418E9ACC5C316615572075C7@mou1wnexmb09.vcorp.ad.vrsn.com>
"There are some cases where it is acceptable to transmit passwords in the clear. One example is that placing a password on a page can be used as a simple way to stop web crawlers without really having to 'secure' the content. Administrators using a clear text password need to be aware that passwords used for this type of purpose SHOULD NOT re-use the same password in contexts that are more sensitive." I would phrase this as a 'not directly harmful' practice rather than an 'acceptable' one. I do not like schemes that teach users to repurpose security channels. It means that when we try to educate users about good practices we have to include exclusions and caveats to deal with these corner cases. The same effect can be achieved through a POST form, there is no value to using a password field in this case and in fact it is an encumberance. ________________________________ From: public-usable-authentication-request@w3.org [mailto:public-usable-authentication-request@w3.org] On Behalf Of David Orchard Sent: Wednesday, February 13, 2008 8:48 PM To: public-usable-authentication@w3.org Subject: Draft W3C TAG Finding "Passwords in the Clear" available for review Dear Web Security Context WG, On behalf of the W3C TAG, I would like to solicit your review of the Draft TAG finding "Passwords in the Clear" [1]. Comments on this draft should be posted to www-tag@w3.org and are appreciated. We do not have a firm deadline but I'd like to suggest March 7th 2008 as a rough timeframe for comments. Cheers, Dave Orchard [1] http://www.w3.org/2001/tag/doc/passwordsInTheClear-52
Received on Thursday, 14 February 2008 15:37:56 UTC