W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: Password generation classes

From: John Wong <gokoproject@gmail.com>
Date: Tue, 29 Sep 2015 23:30:39 -0400
Message-ID: <CACCLA54f4BqVQSnAwmtKsU+DXmvAHR4Udx4534D3DOyPYRKiBA@mail.gmail.com>
To: Jonathan Kingston <jonathan@jooped.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Tue, Sep 29, 2015 at 8:07 PM, Jonathan Kingston <jonathan@jooped.com>

> As to create somewhat of a new topic diversion on this group I wanted to
> table the discussion of password creation.
The Credential management API at some point will need to allow users to
> create passwords somehow.

Not sure if this is really within the scope of CM. Is "allow" the right
term here?

> The core issues as I see it are:
> - Sites create schemes that users can't understand
> - Sites are under the illusion that limiting down the character set to
> include x upper, x digits, and x special chars makes passwords much stronger
> - Sites have a finite storage limitation
> - Sites have a processing limitation
> - Users are likely to pick bad passwords so some of these rules, limits
> and design choices have happened because of that

This is true and I hate that every organization has its own scheme because
everyone claims "oh yeah because this is our requirement."

I am not understanding the actual proposal. Is this proposal about the
ability for a website to inform UA that it only accept one or more
password/credential classes and UA must reject if the password does not
fulfill the requirement? or are you also proposing that CM should implement
password generation (as what follows in the 3rd part of your email).

I just want to say that IMO user-agent should refrain from deciding what is
better for the end-user and for the website, instead, it should just accept
what the website wants. But this means we are back to square one - every
website will come with its own requirement. I think allowing user-agent to
reject input instead of having someone to write javascript to remind user
"this is bad" would be helpful (but I am not sure the UX part of this).


Received on Wednesday, 30 September 2015 03:31:07 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:52 UTC