On Mon, Apr 27, 2020 at 7:14 AM Michael Thomas <m...@mtcc.com> wrote: > On 4/26/20 8:39 PM, Matt Palmer wrote: > > On Sun, Apr 26, 2020 at 05:10:56PM -0700, Michael Thomas wrote: > >> Which exactly zero deployment. And you need to store the plain-text > >> password > >> on the server side. What could possibly go wrong? > > But you said that *passwords on the wire* were the biggest problem. Digest > > auth solves that. Also, you don't have to store the plain-text password.
Correct. You need only store the realm/user/password digest. The chief problem with digest authentication is that the web site has no control over the UI. Among the many issues, this makes it tricky to reliably capture a digest in the first place without the server at least briefly knowing the password. I don't know if webauthn corrects this or makes similar blunders. > You clearly know everything, while Steven, Paul, myself and the > collective wisdom of w3c know nothing, so I'm out. Respectfully, if you didn't know that http digest authentication doesn't require server-side password storage, and more importantly don't simply admit it now that you've been informed, how trustworthy can your understanding of web authentication be? I can't speak to Steven, Paul, the w3c or any other non-posters to this thread that you wish to employ in an appeal to authority fallacy but with due respect, I think you hold a myopic view of network security. For better or worse, security is a zero-sum game. The budget stays proportional to the value of the asset being protected. When you spend it on low-impact improvements you don't have it for the many improvements with a higher impact than whether a web site knows the password you chose for that web site. Regards, Bill Herrin -- William Herrin b...@herrin.us https://bill.herrin.us/
