Copyright © W3C® (MIT, ERCIM, Keio), All Rights Reserved. W3C liability, trademark and document use rules apply.
The purpose of this finding is to provide guidance for securely transmitting passwords on the World Wide Web. The principle advice provided is that passwords MUST NOT be transmitted in the clear.
This document has been produced by the W3C Technical Architecture Group (TAG). This finding addresses TAG issue passwordsInTheClear-52.
This finding is an editorial draft, not yet accepted by the TAG. This finding therefore does not have any official standing and does not represent the consensus of the Technical Architecture Group at the W3C.
Additional TAG findings, both accepted and in draft state, may also be available. The TAG expects to incorporate this finding according to the process of the W3C Recommendation Track.
Please send comments on this finding to the publicly archived TAG mailing list www-tag@w3.org (archive).
1 Introduction
2 Passwords in the clear
1) Secure
transfers
1) Digest Authentication
2) SSL/TLS
2) SOAP
Based transmissions.
3 Passwords
displayed in Browser
A References
Security on the World Wide Web is an important issue which needs to be addressed or mistrust of the Web will limit its growth potential. This finding describes the use of passwords on the World Wide Web and the need to keep them secure during display, temporary storage in cookies, and in transmission over the Web. Note that there are technologies other than passwords for enabling the transmission of secure informaton.
There are sufficient technologies available to describe a clear position on password security as it relates to the World Wide Web.
This section addresses the issue of transmitting passwords in clear text over the World Wide Web. When a password is transmitted in clear text, it is vulnerable in many ways:
The HTTP specification specifically states that HTTP is not considered to be a secure method of user authentication (unless used in conjunction with some external secure system such as SSL).
It is estimated that between 1 and 2 percent of e-commerce transactions are related to fraud. As customers are becoming more 'net savvy', they are starting to examine web page types and are attempting to only use secure systems. Therefore, any organization that wishes to safeguard its customers' data should start with secure transfers of user login and password information.
Good Practice
A server SHOULD NOT solicit any passwords in clear text.
Good Practice
A client or browser MUST NOT transmit passwords in clear text.
There are no scenarios where it is acceptable to transmit passwords in the clear. Every scenario that involves possibly transmitting passwords in the clear can be redesigned for the desired functionality without a cleartext password transmission.
It is tempting to build user agents that refuse to send sensitive data in the clear, or to warn users. There are two problems. Firstly, the user agent cannot determine which data or information is sensitive. Sensitive information is not always input using password masking, often for good reason. Secondly, when the user agent is running arbitrary code, such as when javascript is enabled, a program or script can be used to process a clear text form field (possibly a password) for transfer in many ways, which are too difficult for the browser to analyze.
While it's not the purpose of this paper to do an exhaustive description of secure transfer methods on the Web, there are a few common methods used today which are easy to implement;
Digest Authentication acts as an extension to HTTP 1.0 and provides a way for authentication between parties without transmitting the password over the network. Instead the password is treated as a secret input to a digest algorithm. The resulting digest is transmitted and verified by the server.
However, the digest method is often not practicable and has known security weaknesses. The Digest method requires that both parties have access to the same initial secret value. Many systems store passwords as a salted hash, and the result is that it is not possible to use such pre-existing passwords for computing the digest. For example, operating systems that store salted and hashed passwords cannot reuse those passwords for Digest Authentication. The Digest method is subject to dictionary attacks, and must not be used except in circumstances where passwords are known to be of sufficient length and complexity to thwart such attacks. The sophistication and power of dictionary-based attacks continues to increase such that longer and complex passwords are vulnerable to attacks, not just short passwords using common terms. Great care must therefore be taken using digest authentication, and it should be noted that few systems on the Web today require sufficiently strong passwords. The Digest method is also subject to man in the middle attacks because an intermediary can degrade the quality of service to basic authentication
Given these weaknesses in Digest and password selection, users may erroneously believe the transmitted passwords are secure. Digest should only be used when the costs of more secure systems such as SSL/TLS do not justify the benefits and when strong passwords are encouraged or guaranteed.
SSL/TLS is a protocol developed for transmitting private channels via the Internet. SSL/TLS works by using a private key to encrypt data that is transferred over the SSL/TLS connection. Most browsers support SSL/TLS and most sites which require sensitive information such as credit card information use SSL/TLS today.
It is important to correctly implement SSL/TLS. Any page soliciting sensitive information such as passwords must be transmitted using SSL/TLS to prevent an attacker from submitting an imitation page that does not use SSL/TLS.
SOAP messages are often sent using HTTP and any SOAP message is subject to similar password security concerns. While SSL/TLS can be used to secure SOAP-based messages point to point, the issue can be more complex if SOAP intermediaries are used. The previous Good Practice advice of "A client or browser MUST NOT transmit passwords in clear text" applies to SOAP messages and so passwords and sensitive information SHOULD be transmitted in a secure manner and not as clear text. If confidential information is to be sent as part of the SOAP package, publishers SHOULD either use SSL/TLS or XML Encryption for sensitive data elements. Further information on security for SOAP messages can be found in Security Challenges, Threats and Countermeasures Version 1.0 [WSI] or on the OASIS Web Services Security TC home page[WSS].
HTML allows authors to create input forms. If a form field is a password, password masking SHOULD take place to protect the user from onlookers seeing what is being entered and stop anyone from later using the 'back' button to discover passwords.
<form name="form1" action="https://www.mydomain.com/myform.cgi" method="POST">
Enter Password : <input type="password" size="25"/>
</form>
Good Practice
User agents SHOULD use password masking when passwords are displayed in an HTML form.
This Good Practice does not contain a MUST because there are a few scenarios where password masking is not required. One example is that the user may request that the password be displayed in the clear in order to check the password as it is being entered. Another example is the previous example of a password intended merely to stop web crawling and which consequently is not particularly sensitive. Such non-sensitive passwords may be displayed without masking in addition to being transmitted in clear text.
[Digest]: HTTP Authentication: Basic and Digest Access Authentication, RFC 2617, Draft Standard, IETF. Available online as http://www.ietf.org/rfc/rfc2617.txt.
[WSI]: Security Challenges, Threats and Countermeasures Version 1.0, WS-I. Available online as http://www.ws-i.org/Profiles/BasicSecurity/SecurityChallenges-1.0.pdf.