Re: Passwords in the clear update from Jonathan Rees on 2008-10-07 (www-tag@w3.org from October 2008)

From: Jonathan Rees <jar@creativecommons.org>
Date: Tue, 7 Oct 2008 15:12:42 -0400
To: noah_mendelsohn@us.ibm.com
Cc: David Orchard <orchard@pacificspirit.com>, "www-tag@w3.org" <www-tag@w3.org>
Message-Id: <B154E96B-4372-4DB9-8A25-9066ABCBCFFE@creativecommons.org>

Yes, I think this is an important point, and that's why I wrote (maybe  
you didn't see this):

"remind developers / site administrators that users of passwords  
transmitted in this way must (MUST?) be told in no uncertain terms  
that such passwords should be treated as public knowledge and  
shouldn't be used to protect anything that matters."

This could be amplified with explicit mention of the case where  
someone might be tempted to reuse, in an in-the-clear context, a  
password that *already* protects something that matters. Just don't do  
it.

I looked for wording like this in the draft and didn't find it, and  
didn't see it in the IRC log, so I thought is possible that there was  
a reason we shied away from it.

To talk about "the risks" and "being aware of the risks" is a bit coy,  
I think. It sounds like we're choosing not to tell readers what those  
risks are, that it's a puzzle for them (or there users) to figure out.  
Better to just say: It's not secure, don't let anyone think it is, do  
it only when security doesn't matter.

Jonathan

On Oct 7, 2008, at 1:50 PM, noah_mendelsohn@us.ibm.com wrote:

> Jonathan Rees suggests:
>
>> "Good practice: Clear text passwords are a serious security risk.
>> Transmit passwords in the clear only in applications that do not
>> require any assurance of security."
>
> I'm sympathetic to your attempt to come up with something, but I think
> this misses an important nuance that is mentioned in the draft  
> minutes of
> our meetings.  As I understand it, one concern is with the risk that
> novices will use the same password for multiple applications.  So, you
> deploy the "birthday party registration application" for your child,  
> and
> decide that pwds in the clear are just fine for that.  Unbeknownst  
> to you,
> those registering for the birthday party use the same password as for
> their bank account.  Nefarious network sniffers pick up the pwd from  
> the
> birthday login, and use it to empty the bank account.
>
> I believe we were told by the security "experts" that this sort of  
> thing
> was an important concern for them, and one of the reasons they  
> wanted to
> prohibit pwds in the clear entirely.  Perhaps:
>
> "Good practice: Clear text passwords are a serious security risk.  
> Transmit
> passwords in the clear only in applications that do not
> require any assurance of security, and when users are aware of the  
> risks."
>
> Noah
>
> --------------------------------------
> Noah Mendelsohn
> IBM Corporation
> One Rogers Street
> Cambridge, MA 02142
> 1-617-693-4036
> --------------------------------------

Received on Tuesday, 7 October 2008 19:13:25 UTC