[cap-talk] Webkeys vs. the web

David-Sarah Hopwood david.hopwood at industrial-designers.co.uk
Fri Mar 27 21:51:56 EDT 2009

Stiegler, Marc D wrote:
>> Stiegler, Marc D wrote:
>>> I am presuming that the service would be using the "forgot 
>>> your password" protocol anyway for people who forget their password.
>> Only if, for that particular service, the vulnerability 
>> created by sending passwords in cleartext email is acceptable.
> Of course. Lots of them use this strategy, presumably it is acceptable.

That doesn't follow. I meant objectively acceptable; not accepted.

>>> The advantage of my proposal is we are not adding yet 
>>> another password to the burden.
>> Users expect the burden of managing passwords; they do not 
>> expect to have to check their email on every visit to a 
>> website that is not from a bookmark. In any case, *if* the 
>> cleartext email vulnerability is acceptable then it's 
>> possible to provide both UIs, and users who always rely on 
>> "forgot my password" then do not have to manage their passwords.
> Sure. Just don't make the "forgot my password" interface a second-class
> citizen that tells the user he's stupid (it should be co-equal on the
> page, it should not require an extra click to yet another page, it
> should be called "email my link" [...]

No argument there.

> not "forgot my password", and we ourselves should stop calling it
> "forgot my password" [...]


> -- now that we understand the analogy it is time to drop the
> pejorative terminology). It would then be interesting to see how
> many people screw around with passwords.

Some people use password helpers, in which case they don't have to
remember the password themselves. Of course, if they have access to
the helper that stores their passwords then they could have used a
bookmark, but using the password helper allows them to get to the
site just by typing a memorable URL, and is consistent with what
they do for other sites.

> I would replace, "Users expect the burden of..." with "Users are
> resigned in their hopeless despair to the farcical yet futile
> requirement laid upon them by ivory-tower security people of...".

It isn't ivory-tower dwellers who are mainly responsible in this

David-Sarah Hopwood ⚥

More information about the cap-talk mailing list