Re: Password generation classes from Jonathan Kingston on 2015-09-30 (public-webappsec@w3.org from September 2015)

From: Jonathan Kingston <jonathan@jooped.com>
Date: Wed, 30 Sep 2015 18:31:40 +0000
To: John Wong <gokoproject@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAKrjaaVuHWRs2=ZVU0rNMcLd5TJsApWrRYfCF=fsgLCBDmDLtw@mail.gmail.com>

The CM prevents against making bad choices by only offering up good choices
of password classes, it also has the ability to warn users of repeated use
of a 'one time use password class'.

Take the most extreme example of a government agency that might want 50mb
of random data for the credential, this wouldn't be suitable for logging
into my local button collectors website.

So the government site could specify to the CM that it only accepts class
15 passwords where the button collecting website specifies 1-5 credential
class.

If a site specified class 1 passwords and the user retains the password for
longer than 10 uses the CM could warn the user of it's behaviour of weak
credentials.

I'm not sure I understand the use-case of needing a very weak password test
with. Yes I might not want the 50mb password generation and storage time
but I suspect the CM generating 20 chars won't suffer from that issue.

On Wed, Sep 30, 2015 at 4:47 PM John Wong <gokoproject@gmail.com> wrote:

> On Wed, Sep 30, 2015 at 5:57 AM, Jonathan Kingston <jonathan@jooped.com>
> wrote:
>>
>> The credential manager would also have the ability to inform users of
>> applications using weak credentials for longer time periods than suggested.
>>
>>
>> ---
>>
>> This might for example look like:
>>
>> navigator.credentials.get({ "password": true, credentialClass: 2 })
>>
>> A application would inform the credential manager what class of
>> credential they require, this prevents the credential manager sending
>> things that the app can't cope with however also prevents the site making
>> bad choices.
>>
>>
>
> This is where confuses me, and excuse if it is clear to others. How should
> CM prevent the site from making bad choices?
> I think the first part is like handshake where we exchange, negotiate and
> agree upon something. But maybe we have to be careful with negotiation - if
> WG says these are the only classes UA supports. At least there should be an
> option in the browser to bypass the negotiation so it makes testing easy
> (maybe I want to test weak password).
>
> John
>

Received on Wednesday, 30 September 2015 18:32:19 UTC