On 4/12/2014 10:02 PM, Adam D. Ruppe wrote:
On Saturday, 12 April 2014 at 21:18:26 UTC, Nick Sabalausky wrote:
Never storing or transmitting password in plain text is not only
basic, obvious and to be expected, but it is THE most basic, obvious
and to-be-expected principle that exists in computer security.
... and it is also the most common way passwords are sent in internet
protocols.
* SMTP and HTTP will base64 encode it with their basic auth but that's it
* web sites typically transmit it completely open
There's SSL now that gets more traction, but if you expect a password
NOT to be sent in something trivially converted to plain text, wake up
an smell the RFC.
Well yea, internet protocols tend to use SSL/TLS *as* the password
encryption. I think that's fine and good as long as SSL/TLS is actually
used, especially since it means the rest of the data is automatically
encrypted too, not just the password. It's also nice because it means
the various protocols don't have to reinvent their own counterpart to
SSL/TLS and risk doing so poorly. People know plain-text-password
protocols require an encrypted tunnel, but a broken poorly-designed
protocol-specific password encryption scheme is more easily mistaken as
a suitable substitute for SSL/TLS.
