Passwords in the Clear

[Editor's Draft] TAG Finding passwordsInTheClear-52,v 1.01 2006/10/04 12:23:58 

This version:
Latest version:
Ed Rice, Hewlett Packard <Ed.Rice@hp.com>


The purpose of this finding is to clarify the security concerns around using passwords on the world wide web.  Specifically, the objective is to point out a few conclusions the TAG has come to;

1) Passwords MUST NOT be transmitted in clear text.
2) Passwords MUST  use password masking when displayed in the html form

The purpose of this paper to explain these findings and give direction around possible alternatives.

Status of this Document

This document has been produced by the W3C Technical Architecture Group (TAG). This finding addresses TAG passwordsInTheClear-52.

This is the first public draft of this finding. This finding is an editorial draft, not yet accepted by the TAG.

Additional TAG findings, both accepted and in draft state, may also be available. The TAG expects to incorporate this finding according to the process of the W3C Recommendation Track.

Please send comments on this finding to the publicly archived TAG mailing list www-tag@w3.org (archive).

Table of Contents

1 Introduction
2 Passwords in the clear
    a) Secure transfers
3 Passwords displayed in Browser


A References

1 Introduction

Security on the world wide web is an important issue which needs to be addressed or the miss-trust of the web will limit its growth potential.  Specifically this paper will talk about the user of passwords on the WWW and the needs to keep them secure during display, temporary storage in cookies as well as transmission of that data over the web.

The TAG feels there are sufficient technologies to take a clear stance on password security as it relates to the world wide web.

2 Passwords in the clear

This section addresses the issue of transmitting passwords in clear text over the world wide web.   When the passwords are transmitted in clear text, the password is vulnerable in many ways;

a)  The password is available on the wire.  As the password is transmitted over the wire, tools such as packet sniffers or network analyzers can easily monitor the traffic and intercept passwords as they're sent between computers.

b) The password is available in browsing history.  Most web browsers allow you to navigate 'back' to previous pages, the content is cached for performance as well as ease of use for the user.  These pages are stored in memory and are relatively easy to examine.

c) The password is readable on the web proxies.  Many larger corporations, as well as internet service providers, offer web proxies to allow users faster downloads as well as some level of anonymity to web browsers. 

The HTTP spec specifically states that HTTP is not considered to be a secure method of user authentication (unless used in conjunction with some external secure systems such as SSL).

The Yankee Group2 estimates that between 1 and 2 percent of ecommerce transactions are related to Fraud.  As customers are becoming more 'net savvy' they are starting to examine the web page types and are attempting use only secure systems.  Therefore its imperative that any corporation who wishes to safeguard its customers data start with secure transfers of user login and password information.

Good Practice

A password MUST NOT be transmitted in clear text.

2.1 Secure transfers

While its not the purpose of this paper to do an exhaustive description of secure transfer methods on the web, there are a few common methods used today which are easy to implement;

Digest Access Authentication - Proposed Standard RFC 2069 (see RFC 2617)

Digest acts as an extension to HTTP 1.0 and offers a way for authentication to happen between parties using a 'shared secret (a password).  This verification method can be done without trasmittion of the password in clear text which is intended to address the HTTP 1.0 Basic method of authentication.  The Digest method assumes that the username and password are prearranged however which may be a limitation to many applications.

Secure Socket Layer (SSL)

SSL is a protocol developed for trasmitting private documents via the Internet.  SSL works by using a private key to encrypt data that's transferred over the SSL connection.  Most browsers support SSL and most sites which require credit card information use SSL today.  Originally developed by Netscape there are now many different authorities for private key.

3. Passwords displayed in Browser

HTML allows authors to create input forms for multiple purposes.  It is the TAG's opinion that if the form field is a password, password masking must take place to protect the user from on-lookers seeing what is being entered and stop some from later using the 'back' button to discover passwords. 

         <form name="form1" action="http://www.mydomain.com/myform.cgi" method="POST">
                Enter Password : <input type="password" size="25">

Good Practice

Passwords MUST  use password masking when displayed in the html form

A References

W3C Security Resource
Available online as http://www.w3.org/Security/.
Yankee Group, Building Blocks of Transparent web Security; Server-Gated Cryptography.  Available online as http://www.verisign.com/static/036094.pdf

OpenSSL: The open source SSL project.  Available online as http://www.openssl.org/

RapidSSL: Available online as http://www.rapidssl.com/index_ssl.htm

VeriSign: Available online as http://www.verisign.com

IETF: A survey of authentication methods.  Available online as http://ietfreport.isoc.org/all-ids/draft-iab-auth-mech-05.txt