Re: New draft TAG finding - Passwords in the Clear

Vincent Quint wrote:

> The purpose of this finding is to clarify the security concerns around
> using passwords on the world wide web.  Specifically, the objective is
> to point out a few conclusions the TAG has come to;
> 1) Passwords MUST NOT be transmitted in clear test.

This restriction strikes me as a little strong, though perhaps 
advisable. I have in the past frequently used HTTP Basic auth over 
regular sockets (not SSL) for low security needs. For instance, I've 
sometimes sent the same user name and password to multiple reviewers for 
a draft article. Mostly I'm just trying to keep Google's search bot out 
of it, and it doesn't bother me a great deal if someone not in my 
approved list sees it.

-- 
Elliotte Rusty Harold  elharo@metalab.unc.edu
Java I/O 2nd Edition Just Published!
http://www.cafeaulait.org/books/javaio2/
http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/

Received on Wednesday, 1 November 2006 14:50:32 UTC