> -----Original Message----- > From: regext <regext-boun...@ietf.org> On Behalf Of Martin Thomson > Sent: Tuesday, November 12, 2019 7:57 PM > To: regext@ietf.org > Subject: [EXTERNAL] [regext] draft-ietf-regexy-login-security > > In reviewing the IANA registrations for this draft, I noticed a design issue > that > I think the working group needs to discuss more. > > >From a strictly schema perspective, the whitespace normalization > requirements for token will likely have implications for usability of > passwords > that include spaces on the <pw> and <newPW> elements. That's a problem > for manually constructed messages, so it would be a minor comment. > > However, that would ignore the fact that use of plaintext passwords is not a > good practice. Even if this is merely revising something from RFC 5730 to > extend their length (which is fine in isolation), I think that the working > group > needs to more fully consider. Though it remains common, relying on > password-based authentication is generally regarded as a failing; though it > might be unavoidable, most authentication systems try to avoid it, or only > use passwords as a way to step up to something stronger. Sending > passwords in cleartext in protocols is regarded as a serious exposure in most > systems. Even passing hashed and salted passwords has risks that mean that > is generally avoided where possible.
TLS protection is specified to avoid sending passwords in plaintext form. I agree that we should consider login security improvements over time as new options are available to us. It's always best to start a conversation by throwing a proposal out there for people to consider. Scott _______________________________________________ regext mailing list regext@ietf.org https://www.ietf.org/mailman/listinfo/regext
