- From: Ray Denenberg, Library of Congress <rden@loc.gov>
- Date: Thu, 9 Oct 2008 11:54:14 -0400
- To: <elharo@metalab.unc.edu>, <noah_mendelsohn@us.ibm.com>
- Cc: "Jonathan Rees" <jar@creativecommons.org>, "David Orchard" <orchard@pacificspirit.com>, <www-tag@w3.org>
From: "Elliotte Harold" <elharo@metalab.unc.edu> > I now think > the only reasonable answer is that clear text passwords are never > acceptable. Full stop. Any suggestion that they might be acceptable in > some circumstances is irresponsible. We need to bite the bullet and > accept that. I haven't been a part of this discussion, but I have to weigh in: I just think this is simply not true and to assert that it is seems misleading. Clearly, *clearly*, there are cases where you have to send a password in the clear and there isn't any way around it. The example that comes to mind is when the service tells you what password to use, and everyone uses that password. The password might be "password". (The service doesn't care that everyone in the world can access it, but it is configured to require a password.) The argument that, well, you (the client) might then use that same password for some other application (where *you* have to coin the password, rather than use one that the service tells you to use), does that really make sense in this case? --Ray
Received on Thursday, 9 October 2008 16:10:22 UTC