W3C

Passwords in the Clear

[Editor's Draft] TAG Finding passwordsInTheClear-52,v 1.02 2006/12/12 21:52:21 passwordsInTheClear-52, January 24 2008

Latest version:
http://www.w3.org/2001/tag/doc/passwordsInTheClear-52.html
This version:
http://www.w3.org/2001/tag/doc/passwordsInTheClear-52-20071108.html http://www.w3.org/2001/tag/doc/passwordsInTheClear-52-20080124.html
Previous version(s):
http://www.w3.org/2001/tag/doc/passwordsInTheClear-52-20061211.html http://www.w3.org/2001/tag/doc/passwordsInTheClear-52-20071108.html
http://www.w3.org/2001/tag/doc/passwordsInTheClear-52-20061212.html
Editors:
David Orchard, BEA Systems mailto:dorchard@bea.com
Ed Rice, Hewlett Packard mailto:Ed.Rice@hp.com

Copyright  ©   W3C ® ( MIT , ERCIM , Keio ), All Rights Reserved. W3C liability , trademark and document use rules apply.

Abstract

The purpose of this finding is to clarify the security concerns around using passwords on the World Wide World-Wide Web. Specifically, the objective The principle advice described is to point out that passwords SHOULD NOT be transmitted in the clear except in a few very specific cases.

Status of this Document

This document has been produced by the W3C Technical Architecture Group (TAG) . This finding addresses TAG issue passwordsInTheClear-52 .

This finding is an editorial draft, not yet accepted by the TAG. This finding therefore does not have any official standing and does not represent the consensus of the Technical Architecture Group at the W3C.

Additional TAG findings , both accepted and in draft state, may also be available. The TAG expects to incorporate this finding according to the process of the W3C Recommendation Track .

Please send comments on this finding to the publicly archived TAG mailing list www-tag@w3.org ( archive ).

Table of Contents

1 Introduction
2 Passwords in the clear
    a) Secure transfers
    b) SOAP Based transmissions .
3 Passwords displayed in Browser
A References
 

1 Introduction

Security on the World Wide World-Wide Web is an important issue which needs to be addressed or mistrust of the Web will limit its growth potential. Specifically this paper talks about This finding describes the use of passwords on the WWW World-Wide Web and the needs need to keep them secure during display, temporary storage in cookies as well as cookies, and in transmission of that data over the Web.

The TAG feels there There are sufficient technologies available to take describe a clear stance position on password security as it relates to the World Wide World-Wide Web.

2 Passwords in the clear

This section addresses the issue of transmitting passwords in clear text over the World Wide World-Wide Web. When a password is transmitted in clear text, it is vulnerable in many ways:

  1. The password is available on the wire. As the password is transmitted over the wire, tools such as packet sniffers or network analyzers can easily monitor the traffic and intercept passwords as they're sent between computers.
  2. The password is available in browsing history. Most web browsers allow you to navigate provide 'back' navigation to previous pages, with content locally cached for performance as well as ease of use for the user. These pages are stored in memory and are relatively easy to examine.
  3. The password is readable on web proxies. Many larger corporations, as well as internet service providers, offer web proxies to allow users faster downloads as well as some level of anonymity for web users.

The HTTP specification specifically states that HTTP is not considered to be a secure method of user authentication (unless used in conjunction with some external secure systems system such as SSL).

It is estimated that between 1 and 2 percent of e-commerce transactions are related to fraud. As customers are becoming more 'net savvy' savvy', they are starting to examine web page types and are attempting use to only use secure systems. Therefore it's imperative that Therefore, any organization that wishes to safeguard its customers' data should start with secure transfers of user login and password information.

Good Practice

A server or resource SHOULD NOT solicit any passwords in clear text.

Good Practice

A client or browser SHOULD NOT transmit passwords in clear text.

There are some cases where it is acceptable to transmit passwords in the clear; one clear. One example would be a test page that has no sensitive information on it where the only reason for the prompting of the password is to stop it from being indexed by a major search engine. Placing placing a password on the a page is a simple way to stop the crawling of the pages web crawlers without really having to 'secure' the content. Because users often cannot tell when Administrators using a password is being send in the clear or not, we could use another 'Good Practice' text password need to make sure that users are be aware that passwords used for this type of the resulting vulnerability, and go on to use purpose SHOULD NOT re-use the same password again for a application intended to be secure. in contexts that are more sensitive.

Automatic Protection by User agent

However, many forms use onSubmit actions It is tempting to start javascript programs. These programs secure build user agents that refuse to send sensitive data in the password and then transmit clear, or to warn users. There are two problems. Firstly, the password and other information. A User Agent user agent cannot examine the determine what is sensitive. It is not always input using password masking, often for good reason. Secondly, when javascript to ensure that is enabled, the script can use the password is not transmitted in the clear text. Therefore this finding can provide no Good Practice advice in many ways, which are too difficult for the browser to User Agent authors. analyze.

2.1 Secure transfers

While it's not the purpose of this paper to do an exhaustive description of secure transfer methods on the Web, there are a few common methods used today which are easy to implement;

Digest Access Authentication [Digest] :

Digest Authentication acts as an extension to HTTP 1.0 and offers provides a way for authentication to happen between parties without transmitting the password over the network. Instead the password is treated as a secret input to a digest algorithm. The resulting digest is transmitted and verified by the server. Unfortunately the The Digest method requires that both parties have access to the same initial secret value. Because most Many systems store passwords are stored as a salted hash, hash and it is not possible in practice for both two parties using such systems to compute the same initial secret value.

Secure Socket Layer (SSL/TLS)

SSL/TLS is a protocol developed for transmitting private channels via the Internet. SSL/TLS works by using a private key to encrypt data that's that is transferred over the SSL/TLS connection. Most browsers support SSL/TLS and most sites which require credit card information use SSL/TLS today. Originally developed by Netscape there are now many different authorities providing private keys.

2.2 SOAP Based transmissions

SOAP communicates over messages are often sent using HTTP and any SOAP message is subject to similar password security concerns. While SSL/TSL SSL/TLS can be used to secure SOAP-based messages point to point, the issue can be more complex if SOAP intermediaries are used. The TAG's position on previous Good Practice advice of "A client or browser SHOULD NOT transmit passwords in clear text" applies to SOAP remains consistent: that messages and so passwords and sensitive information MUST SHOULD be transmitted in a secure manner and not as clear text. If confidential information is to be sent as part of the SOAP package, publishers SHOULD either use SSL/TLS or XML Encryption for sensitive data elements. Further information on security for SOAP messages can be found in Security Challenges, Threats and Countermeasures Version 1.0 [WSI] or on the OASIS Web Services Security TC home page [WSS] .

3 Passwords displayed in Browser

HTML allows authors to create inp