On 06/22/2011 09:36 PM, Yutaka OIWA wrote:
2011/6/23 GOGWIM, JOEL GODWIN<[email protected]>:
Supported.
Weak and predictable passwords should be avoided.
I ideally agree, but in reality I hesitate to agree with it
with technical means and backgrounds.
How is the IETF or w3 going to define "weak password" anyway?
Even if there were a way, it's common to see users getting hacked these
days because the use the same (possibly strong) password at multiple sites.
It's best to pick a completely unique, strong password (12 or more
characters) for each and every site. But unless you're some kind of
savant, this requires writing these passwords down somewhere.
But instead, users are taught not to write their passwords down (mostly
by employers who don't want it to end up on a sticky note in an obvious
place). So users either pick simple passwords and/or they use the same
one at every site.
Of course, even if we introduce such "secure" password registration protocol,
I foresee that some people will continue to stick on plain-text password
registration for various reasons. For example, if a law had required
some servers (e.g. financial entities) to check and reject such predictable
passwords,
we would have no way to secure it.
That would be a bad law.
I don't think a protocol design can or should defend against bad laws.
At least in the US, financial institutions don't have such laws. They
instead have a patchwork of audit requirements, industry standards, best
practices, compliance, etc.. Which is probably better than passing laws
about password complexity requirements, all things considered.
For such purposes servers will
continue to receive raw passwords and computes password-hashes
(or whatever equivalent) on the server-side.
But I think that providing a possibility to securely registering passwords
to servers are one of required things to do for us.
This is far more important than working out ways to accommodate sites
that want or need to transfer the password in clear text. Those sites
are already able to do that just fine.
Ideally the technology would somehow prevent a site from accepting (or
doing anything useful with) the user's plaintext password within the
page. This would allow the browser to remove any ambiguity for users
which would be exploitable by phishing.
The simplest message and the one that will "sink in" with the most users
is: "You should never type this password into any web page or program
except this unmistakable piece of browser chrome. Not to verify your
account info, not to reset your password, not to receive tech support
from someone you trust, and not even to see free pictures of kittens."
It would be amazing if we could get there, but browser vendors and sites
conspire against us to defeat it.
- Marsh
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
