Re: Passwords in the clear update from John Kemp on 2008-10-10 (www-tag@w3.org from October 2008)

From: John Kemp <john.kemp@nokia.com>
Date: Fri, 10 Oct 2008 10:39:21 -0400
To: ext David Orchard <orchard@pacificspirit.com>
CC: elharo@metalab.unc.edu, "Ray Denenberg, Library of Congress" <rden@loc.gov>, noah_mendelsohn@us.ibm.com, Jonathan Rees <jar@creativecommons.org>, www-tag@w3.org
Message-ID: <48EF6919.7010901@nokia.com>

ext David Orchard wrote:
> The question is about how "harsh" the stick should be.  Saying "MUST 
> NOT" when people very occasionally have legitimate reasons devalues the 
> finding and the advice.

What are these legitimate reasons? Or perhaps put another way, what do 
we consider a "password" to be, if not a *secret* best shared only 
between exactly two parties and used to authenticate one party to the 
other?

>  I think we have to be beat the point about the 
> dangers and encourage people to not use them. 
> 
> I think the finding currently reflects the very best that we are going 
> to get in terms of such a stance, and that is the least objectionable to 
> the most number of people.

Perhaps. But if we wave our hands in the air, will anyone hear us?

As you say in your introduction:

"Security on the World Wide Web is an important issue which needs to be 
addressed, or mistrust of the Web will limit its growth potential."

Password-based authentication is, for better or worse, an important part 
of security on the World Wide Web.

Cheers,

- johnk

> 
> Cheers,
> Dave
> 
> On Fri, Oct 10, 2008 at 6:23 AM, John Kemp <john.kemp@nokia.com 
> <mailto:john.kemp@nokia.com>> wrote:
> 
> 
>     ext Elliotte Harold wrote:
> 
>         Ray Denenberg, Library of Congress wrote:
> 
>             A blanket admonishment: "do not ever, under any
>             circumstance, use passwords
>             in the clear", is fairly useless, most everyone will ignore
>             it. People are
>             not going to stop. Better to educate people on the dangers.
> 
> 
>         Give that blanket admonishment, and then explain the reasons
>         behind it; but don't compromise the good advice because you
>         think it may not be followed by all people in all circumstances.
> 
> 
>     I wholeheartedly agree. What is the sense in continuing to
>     implicitly condone these practices? Who would care?
> 
>     It is not that people will necessarily stop using passwords in the
>     clear, but shouldn't we have a metaphorical stick to beat them with?
> 
>     - johnk
> 
>

Received on Friday, 10 October 2008 14:42:46 UTC