- From: David Orchard <dorchard@bea.com>
- Date: Wed, 9 Apr 2008 15:54:03 -0700
- To: "Dan Connolly" <connolly@w3.org>
- Cc: <www-tag@w3.org>
The bulk of Chris Drake's message: The "passwords" you propose to protect are short alphanumeric ascii tokens, usually based on human-recognizable things like words. The "keyspace" of these make it trivial on modern PCs to test every possible combination against whatever hash or obscuring method you choose, in a very short time. Using either Rainbow tables, or google, cracking hashed passwords more often than not takes only a few seconds nowdays. http://www.lightbluetouchpaper.org/2007/11/16/google-as-a-password-crack er/ Given that obscuring/hashing passwords makes people erroneously believe they are now secure - it could well be making things worse by doing this, rather than by sending via plain text: at least when they were in plaintext, every uneducated person who could observe them passing by was able to understand it's not secure. Hashing merely serves to deceive the people building and operating the insecure system, all while handing hackers and crackers free access to the original plaintext passwords. Cheers, Dave > -----Original Message----- > From: Dan Connolly [mailto:connolly@w3.org] > Sent: Wednesday, April 09, 2008 3:26 PM > To: David Orchard > Cc: www-tag@w3.org > Subject: Re: Summary of Responses to Passwords in the Clear > from Web SCWorking Group > > > On Wed, 2008-04-09 at 15:03 -0700, David Orchard wrote: > [...] > > 2) Digest is not acceptable. > > ?! > > Really? That's a disappointing conclusion. > > If I'm following the argument, it's because the server > doesn't authenticate to the client in the digest protocol. Hmm. > I suppose that's a good argument. :-/ > > > > -- > Dan Connolly, W3C http://www.w3.org/People/Connolly/ > gpg D3C2 887B 0F92 6005 C541 0875 0F91 96DE 6E52 C29E > >
Received on Wednesday, 9 April 2008 22:55:23 UTC