Re: Passwords in the clear update from David Orchard on 2008-10-10 (www-tag@w3.org from October 2008)

From: David Orchard <orchard@pacificspirit.com>
Date: Fri, 10 Oct 2008 07:19:28 -0700
To: "John Kemp" <john.kemp@nokia.com>
Cc: elharo@metalab.unc.edu, "Ray Denenberg, Library of Congress" <rden@loc.gov>, noah_mendelsohn@us.ibm.com, "Jonathan Rees" <jar@creativecommons.org>, www-tag@w3.org
Message-ID: <2d509b1b0810100719m4c98c70gc60fd0f4c05b9d7b@mail.gmail.com>

The question is about how "harsh" the stick should be.  Saying "MUST NOT"
when people very occasionally have legitimate reasons devalues the finding
and the advice.  I think we have to be beat the point about the dangers and
encourage people to not use them.

I think the finding currently reflects the very best that we are going to
get in terms of such a stance, and that is the least objectionable to the
most number of people.

Cheers,
Dave

On Fri, Oct 10, 2008 at 6:23 AM, John Kemp <john.kemp@nokia.com> wrote:

>
> ext Elliotte Harold wrote:
>
>> Ray Denenberg, Library of Congress wrote:
>>
>>> A blanket admonishment: "do not ever, under any circumstance, use
>>> passwords
>>> in the clear", is fairly useless, most everyone will ignore it. People
>>> are
>>> not going to stop. Better to educate people on the dangers.
>>>
>>
>> Give that blanket admonishment, and then explain the reasons behind it;
>> but don't compromise the good advice because you think it may not be
>> followed by all people in all circumstances.
>>
>
> I wholeheartedly agree. What is the sense in continuing to implicitly
> condone these practices? Who would care?
>
> It is not that people will necessarily stop using passwords in the clear,
> but shouldn't we have a metaphorical stick to beat them with?
>
> - johnk
>
>

Received on Friday, 10 October 2008 14:20:05 UTC