Re: Passwords in the clear update from noah_mendelsohn@us.ibm.com on 2008-10-14 (www-tag@w3.org from October 2008)

From: <noah_mendelsohn@us.ibm.com>
Date: Mon, 13 Oct 2008 22:08:46 -0400
To: elharo@metalab.unc.edu
Cc: Jonathan Rees <jar@creativecommons.org>, John Kemp <john.kemp@nokia.com>, ext David Orchard <orchard@pacificspirit.com>, "Ray Denenberg, Library of Congress" <rden@loc.gov>, www-tag@w3.org
Message-ID: <OFFCCE653C.C4A4B196-ON852574E2.000B135E-852574E2.000BD0FB@lotus.com>

It's probably time to wrap this up, since in some ways we're agreeing on 
the pros and cons, and just not landing in the same place on whether the 
circumstance justifies a MUST or a SHOULD.  That said, I've had a number 
of cases where I've happily used weak passwords, not necessarily for 
pictures of my kids, but for access to experimental Web sites or other 
things of transient value where it would be a nuissance but not a disaster 
if casual visitors showed up.  Yes, in some cases the same sites have also 
been blocked by robots.txt, etc., all examples of casual defenses that 
don't hold up well in the long run.  The fact is that in each case, I 
think I've been pretty well aware of the risks (or at least nothing in 
this discussion has suprprised me), and I've been comfortable using the 
passwords in the clear. 

As another real world example, I just received a survey from a large hotel 
chain asking me to comment on my recent stay.  Sure enough, the link to 
the survey page was long the lines of:

        http://bighotelsrus.com/survey?userid=noahsuserid&password=xxxxxxx

which is about as in the clear as you can get.    Now it's possible that 
the people putting out this survey are so dumb that they have no clue 
about the security risks.  More likely, they just aren't that concerned 
about people trying to make a business out of rummaging through my email, 
finding the survey link, and answering the survey for me.  Now, why they 
bother with a password at all isn't totally clear to me, but I presume the 
userid shows up in parts of their system where the password doesn't. 
Anyway, I don't see any reason they shouldn't do this sort of thing if it 
meets their needs.

(Amusingly, when you click this URI, it does indeed pick up your userid, 
but asks you to enter the password anyway, notwithstanding that it's 
sitting right there in your address bar.).

Noah

--------------------------------------
Noah Mendelsohn 
IBM Corporation
One Rogers Street
Cambridge, MA 02142
1-617-693-4036
--------------------------------------

Elliotte Harold <elharo@metalab.unc.edu>
10/11/2008 10:16 AM
Please respond to elharo

        To:     noah_mendelsohn@us.ibm.com
        cc:     John Kemp <john.kemp@nokia.com>, Jonathan Rees 
<jar@creativecommons.org>, ext David Orchard <orchard@pacificspirit.com>, 
"Ray Denenberg, Library of Congress" <rden@loc.gov>, www-tag@w3.org
        Subject:        Re: Passwords in the clear update

noah_mendelsohn@us.ibm.com wrote:
> I think I agree with Dave Orchard here.  MUST NOT is pretty strong. 
Let's 
> say I put up a Web site for my family, an  example I've used before.  I 
> want some barriers to casual access by others, but I really don't care 
> that much whether anyone breaks in to see the photos of my kids' 
birthday 
> party. 

In fact, many parents care a *great* deal that random strangers not be 
allowed to see photos of their kids. They are shocked and appalled when 
they discover that happening. I think we would be doing them a real 
disservice if we indicate that it's OK to post family information wiht 
passwords in the clear.

If you really don't care about casual access by others, you only send 
the URL to friends and you don't link to or publish it. Maybe you set up 
robots.txt to indicate noindex. But that is not the use case for 
password protection.

I think we need to recognize that anyone who establishes usernames and 
passwords for a page has a reasonable desire to only allow authorized 
users to enter. How much they care when unauthorized users break in is 
irrelevant. The vast majority of sites care a great deal about this, 
though some more than others. The point of a password is to prevent 
unauthorized access, and a use case that starts with the assumption that 
unauthorized access is unimportant contradicts the whole reason for 
having a password in the first place. What's really being argued here is 
that sometimes people put passwords on pages that don't really need 
them. True enough, but this is not something we need to consider in the 
finding. Do we really want to say, "Send passwords in the clear only 
when you don't need passwords at all?"

-- 
Elliotte Rusty Harold  elharo@metalab.unc.edu
Refactoring HTML Just Published!
http://www.amazon.com/exec/obidos/ISBN=0321503635/ref=nosim/cafeaulaitA

Received on Tuesday, 14 October 2008 02:09:32 UTC