XML.orgXML.org
FOCUS AREAS |XML-DEV |XML.org DAILY NEWSLINK |REGISTRY |RESOURCES |ABOUT
OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]
Re: [xml-dev] RE: Encoding charset of HTTP Basic Authentication
Pete Cordell scripsit:

> I'm surprised I'm in a minority of one on this.  I've snipped out lots of 
> comments in a reply, but my basic position is that we shouldn't be 
> adopting a "buyer beware" position when it comes to handling passwords 
> when we know there are better ways to do it, and we have known that for 
> the best part of a decade.

We (if by "we" you mean human beings collectively) have known for decades
that two-factor authentication (two of "what you have", "what you know",
and "what you are") is the minimum requirement for decent security.
In particular passwords are a crappy implementation of "what you know",
since people most of the time either don't know them (the post-it on
the monitor) or do know them and so can anyone else.

-- 
John Cowan      cowan@ccil.org         http://www.ccil.org/~cowan
Statistics don't help a great deal in making important decisions.
Most people have more than the average number of feet, but I'm not about
to start a company selling shoes in threes. --Ross Gardler
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 1993-2007 XML.org. This site is hosted by OASIS