Comments on Passwords in the Clear


Here are some editorial suggestions on the draft "passwords in the clear" 


The purpose of this finding is to clarify the security concerns around 
using passwords on the world wide web.  Specifically, the objective is to 
point out a few conclusions the TAG has come to:  <- should be a colon not 
a semicolon
1) Passwords MUST NOT be transmitted in clear test.  <--- typo (test vs. 
2) Passwords MUST NOT be displayed on the html form in clear test.   <--- 
typo (test vs. text)

miss-trust -> mistrust


This paper will talk -> This paper talks (suggest use of present tense)


as it relates to the world wide web.  -> capitalize World Wide Web


When the passwords are transmitted in clear text, the password is 
vulnerable in many ways;   -> Which passwords?  Suggest deleting the word 


transactions are related to Fraud.    -> suggest you don't capitalize 


'shared secret (a password)  -> missing close quote


without trasmittion  -> spelling


This verification method can be done without trasmittion of the password 
in clear text which is intended to address the HTTP 1.0 Basic method of 
authentication.    -> Ambiguous antecdent of "which is intended to 
address".  In other words, the word "which" can be parsed as referring to 
either "verification method can be done", the "transmitton" [sic], or the 
"clear text".  In fact, I'm not quite sure what you're trying to convey. 
Suggest you reword the sentence.


The Digest method assumes that the username and password are prearranged 
however which may be a limitation to many applications. -> I think this 
reads a bit clumsily, but suggest at very least commas are needed around 
"however".  You might reword: 

"The requirement to prearrange usernames and passwords may complicate or 
prevent the use of Digest Authentication for certain applications."

I hope these suggestions are helpful.


Noah Mendelsohn 
IBM Corporation
One Rogers Street
Cambridge, MA 02142

Received on Saturday, 7 October 2006 03:05:40 UTC