- From: Ray Denenberg, Library of Congress <rden@loc.gov>
- Date: Thu, 9 Oct 2008 16:48:00 -0400
- To: "John Kemp" <john.kemp@nokia.com>
- Cc: <elharo@metalab.unc.edu>, <noah_mendelsohn@us.ibm.com>, "Jonathan Rees" <jar@creativecommons.org>, "David Orchard" <orchard@pacificspirit.com>, <www-tag@w3.org>
A blanket admonishment: "do not ever, under any circumstance, use passwords
in the clear", is fairly useless, most everyone will ignore it. People are
not going to stop. Better to educate people on the dangers.
So the reasoning I've followed on this thread:
Let's say for example I have to declare a password that's to be used for
access to some photos I've downloaded. So I declare 3a24H4!$x3 - strong
enough that nobody is going to guess it, but I don't care who accesses
these photos. And I went to all that trouble to generate a strong password,
and I have to memorize it, so I'll use if for access to my bank account,
after all, I'm not going to send in in the clear for bank account access.
And the argument is "Don't do that!" because by transmitting it in the clear
for photo access, someone may steal it, and then may try to use it to access
my bank account.
Now that's useful advice. Much more useful than "don't ever send passwords
in the clear". The problem is that it isn't easily expressed. You could
say: "if you do ever send a password in the clear, it is recommended that
that same password not be one which can be used to provide access to
sensitive information." But even that can be misinterpreted ("I'm only
sending it in the clear to access non-sensitive information, so I'm ok".)
I think the example itself (in some form) should be included in the advice.
--Ray
----- Original Message -----
From: "John Kemp" <john.kemp@nokia.com>
To: "ext Ray Denenberg, Library of Congress" <rden@loc.gov>
Cc: <elharo@metalab.unc.edu>; <noah_mendelsohn@us.ibm.com>; "Jonathan Rees"
<jar@creativecommons.org>; "David Orchard" <orchard@pacificspirit.com>;
<www-tag@w3.org>
Sent: Thursday, October 09, 2008 12:27 PM
Subject: Re: Passwords in the clear update
>
> ext Ray Denenberg, Library of Congress wrote:
> > From: "Elliotte Harold" <elharo@metalab.unc.edu>
> >> I now think
> >> the only reasonable answer is that clear text passwords are never
> >> acceptable. Full stop. Any suggestion that they might be acceptable in
> >> some circumstances is irresponsible. We need to bite the bullet and
> >> accept that.
> >
> > I haven't been a part of this discussion, but I have to weigh in: I just
> > think this is simply not true and to assert that it is seems misleading.
> > Clearly, *clearly*, there are cases where you have to send a password in
the
> > clear and there isn't any way around it. The example that comes to mind
is
> > when the service tells you what password to use, and everyone uses that
> > password. The password might be "password". (The service doesn't care
that
> > everyone in the world can access it, but it is configured to require a
> > password.)
>
> By a password, I think we are talking about some secret piece of
> information shared between one party and another, and intended to be
> kept secret between those two parties.
>
> If, by "password", we *do* mean some piece of information intended to
> remain secret, and intended to be shared between just two parties (not
> more) then I think it should be required (or recommended, should it not
> be possible to require it) that the shared secret is not sent, or (even
> better) stored, in cleartext.
>
> Of course, I do recognize that this is aspirational, and also that
> people may have a looser interpretation of the term "password" than I do.
>
> Regards,
>
> - johnk
>
Received on Thursday, 9 October 2008 20:49:18 UTC