- From: John Kemp <john.kemp@nokia.com>
- Date: Fri, 10 Oct 2008 10:39:21 -0400
- To: ext David Orchard <orchard@pacificspirit.com>
- CC: elharo@metalab.unc.edu, "Ray Denenberg, Library of Congress" <rden@loc.gov>, noah_mendelsohn@us.ibm.com, Jonathan Rees <jar@creativecommons.org>, www-tag@w3.org
ext David Orchard wrote: > The question is about how "harsh" the stick should be. Saying "MUST > NOT" when people very occasionally have legitimate reasons devalues the > finding and the advice. What are these legitimate reasons? Or perhaps put another way, what do we consider a "password" to be, if not a *secret* best shared only between exactly two parties and used to authenticate one party to the other? > I think we have to be beat the point about the > dangers and encourage people to not use them. > > I think the finding currently reflects the very best that we are going > to get in terms of such a stance, and that is the least objectionable to > the most number of people. Perhaps. But if we wave our hands in the air, will anyone hear us? As you say in your introduction: "Security on the World Wide Web is an important issue which needs to be addressed, or mistrust of the Web will limit its growth potential." Password-based authentication is, for better or worse, an important part of security on the World Wide Web. Cheers, - johnk > > Cheers, > Dave > > On Fri, Oct 10, 2008 at 6:23 AM, John Kemp <john.kemp@nokia.com > <mailto:john.kemp@nokia.com>> wrote: > > > ext Elliotte Harold wrote: > > Ray Denenberg, Library of Congress wrote: > > A blanket admonishment: "do not ever, under any > circumstance, use passwords > in the clear", is fairly useless, most everyone will ignore > it. People are > not going to stop. Better to educate people on the dangers. > > > Give that blanket admonishment, and then explain the reasons > behind it; but don't compromise the good advice because you > think it may not be followed by all people in all circumstances. > > > I wholeheartedly agree. What is the sense in continuing to > implicitly condone these practices? Who would care? > > It is not that people will necessarily stop using passwords in the > clear, but shouldn't we have a metaphorical stick to beat them with? > > - johnk > >
Received on Friday, 10 October 2008 14:42:46 UTC