RE: New draft TAG finding - Passwords in the Clear

Elliotte Harold:

| > 1) Passwords MUST NOT be transmitted in clear test.
| This restriction strikes me as a little strong, though perhaps 
| advisable. I have in the past frequently used HTTP Basic auth over 
| regular sockets (not SSL) for low security needs. For instance, I've 
| sometimes sent the same user name and password to multiple 
| reviewers for 
| a draft article. Mostly I'm just trying to keep Google's 
| search bot out 
| of it, and it doesn't bother me a great deal if someone not in my 
| approved list sees it.

I had the same feeling reading this. I use HTTP Basic auth to keep spambots
out of a semi-public wiki (I know others do this too), and don't feel
bothered by clear-text passwords in this particular case.


Received on Thursday, 2 November 2006 09:47:09 UTC