W3C home > Mailing lists > Public > www-tag@w3.org > November 2007

Updated passwords in the clear

From: David Orchard <dorchard@bea.com>
Date: Tue, 13 Nov 2007 13:26:10 -0800
Message-ID: <BEBB9CBE66B372469E93FFDE3EDC493E0106E6AF@repbex01.amer.bea.com>
To: "W3C-TAG Group WG" <www-tag@w3.org>
Based on our f2f meeting.  And I did a couple of tweaks to texts that I
thought read better:

"Because many systems store passwords a salted hash, it is not possible
in practice for both parties using such systems to compute the same
initial secret value."

"However, there's no obvious method by which a web browser can reliably
know when the data entered is sensitive. Furthermore, in browsers which
enable scripting, it may be impossible to know whether the information
is transmitted in clear text. For example, many forms use onSubmit
actions to start javascript programs. These programs secure the password
and then transmit the password and other information. A User Agent
cannot examine the javascript to ensure that the password is not
transmitted in clear text. Because of these limitations, this finding
provides no Good Practice advice to User Agent authors. "






Received on Tuesday, 13 November 2007 21:26:39 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:32:54 UTC