Updated passwords in the clear

Based on our f2f meeting.  And I did a couple of tweaks to texts that I
thought read better:

"Because many systems store passwords a salted hash, it is not possible
in practice for both parties using such systems to compute the same
initial secret value."

"However, there's no obvious method by which a web browser can reliably
know when the data entered is sensitive. Furthermore, in browsers which
enable scripting, it may be impossible to know whether the information
is transmitted in clear text. For example, many forms use onSubmit
actions to start javascript programs. These programs secure the password
and then transmit the password and other information. A User Agent
cannot examine the javascript to ensure that the password is not
transmitted in clear text. Because of these limitations, this finding
provides no Good Practice advice to User Agent authors. "







Received on Tuesday, 13 November 2007 21:26:39 UTC