Re: Passwords in the clear update from John Kemp on 2008-10-10 (www-tag@w3.org from October 2008)

From: John Kemp <john.kemp@nokia.com>
Date: Fri, 10 Oct 2008 16:43:03 -0400
To: "ext noah_mendelsohn@us.ibm.com" <noah_mendelsohn@us.ibm.com>
CC: elharo@metalab.unc.edu, Jonathan Rees <jar@creativecommons.org>, ext David Orchard <orchard@pacificspirit.com>, "Ray Denenberg, Library of Congress" <rden@loc.gov>, www-tag@w3.org
Message-ID: <48EFBE57.3050405@nokia.com>

ext noah_mendelsohn@us.ibm.com wrote:
> I think I agree with Dave Orchard here.  MUST NOT is pretty strong.  Let's 
> say I put up a Web site for my family, an  example I've used before.  I 
> want some barriers to casual access by others, but I really don't care 
> that much whether anyone breaks in to see the photos of my kids' birthday 
> party.  

...

>  Seems fine to me.  What's broken.  So, SHOULD NOT.  MUST NOT 
> should be reserved for things that are always a mistake, and I don't think 
> this is.

OK, I can say I agree with your use-case. And I guess you wouldn't use 
SSL because it's too difficult to set it up on your family website...

I do wonder though whether this finding is really addressed to those 
running their family website (except TAG members ;), rather than those 
who write web software for living?

> 
> By the way, this reminds me of another hole.  How many systems carefully 
> use https for login, but send passwords around using insecure email.  How 
> many users store copies of those emails in unencrypted files.  Yes, much 
> of this is bad practice, and perhaps it should be called out as such in 
> the finding.  Still, it somewhat oversimplifies the discussion to focus a 
> strong MUST NOT on the exchange of passwords using HTTP, while not saying 
> anything at all about other common situations in which the same passwords 
> are transmitted or stored "in the clear".

I certainly see your point, and I agree it would be good not to 
oversimplify.

I think I can also agree that if the finding should address the use-case 
you describe, in addition to scenarios where we hope to impact web 
software then we need to allow quite a lot of leeway.

- johnk

> 
> Noah 
> 
> --------------------------------------
> Noah Mendelsohn 
> IBM Corporation
> One Rogers Street
> Cambridge, MA 02142
> 1-617-693-4036
> --------------------------------------
> 
> 
> 
> 
> 
> 
> 
> 
> John Kemp <john.kemp@nokia.com>
> 10/10/2008 10:39 AM
>  
>         To:     ext David Orchard <orchard@pacificspirit.com>
>         cc:     elharo@metalab.unc.edu, "Ray Denenberg, Library of 
> Congress" <rden@loc.gov>, noah_mendelsohn@us.ibm.com, Jonathan Rees 
> <jar@creativecommons.org>, www-tag@w3.org
>         Subject:        Re: Passwords in the clear update
> 
> 
> ext David Orchard wrote:
>> The question is about how "harsh" the stick should be.  Saying "MUST 
>> NOT" when people very occasionally have legitimate reasons devalues the 
>> finding and the advice.
> 
> What are these legitimate reasons? Or perhaps put another way, what do 
> we consider a "password" to be, if not a *secret* best shared only 
> between exactly two parties and used to authenticate one party to the 
> other?
> 
>>  I think we have to be beat the point about the 
>> dangers and encourage people to not use them. 
>>
>> I think the finding currently reflects the very best that we are going 
>> to get in terms of such a stance, and that is the least objectionable to 
> 
>> the most number of people.
> 
> Perhaps. But if we wave our hands in the air, will anyone hear us?
> 
> As you say in your introduction:
> 
> "Security on the World Wide Web is an important issue which needs to be 
> addressed, or mistrust of the Web will limit its growth potential."
> 
> Password-based authentication is, for better or worse, an important part 
> of security on the World Wide Web.
> 
> Cheers,
> 
> - johnk
> 
>> Cheers,
>> Dave
>>
>> On Fri, Oct 10, 2008 at 6:23 AM, John Kemp <john.kemp@nokia.com 
>> <mailto:john.kemp@nokia.com>> wrote:
>>
>>
>>     ext Elliotte Harold wrote:
>>
>>         Ray Denenberg, Library of Congress wrote:
>>
>>             A blanket admonishment: "do not ever, under any
>>             circumstance, use passwords
>>             in the clear", is fairly useless, most everyone will ignore
>>             it. People are
>>             not going to stop. Better to educate people on the dangers.
>>
>>
>>         Give that blanket admonishment, and then explain the reasons
>>         behind it; but don't compromise the good advice because you
>>         think it may not be followed by all people in all circumstances.
>>
>>
>>     I wholeheartedly agree. What is the sense in continuing to
>>     implicitly condone these practices? Who would care?
>>
>>     It is not that people will necessarily stop using passwords in the
>>     clear, but shouldn't we have a metaphorical stick to beat them with?
>>
>>     - johnk
>>
>>
> 
> 
>

Received on Friday, 10 October 2008 21:06:16 UTC