[33407] in bugtraq
RE: MS to stop allowing passwords in URLs
daemon@ATHENA.MIT.EDU (Richard M. Smith)
Wed Feb 4 08:09:44 2004
Message-Id: <200402031553.i13Fra67010280@mtaw6.prodigy.net>
From: "Richard M. Smith" <rms@computerbytesman.com>
To: "'McAllister, Andrew'" <McAllisterA@umsystem.edu>,
<bugtraq@securityfocus.com>
Date: Tue, 3 Feb 2004 07:54:22 -0800
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
In-reply-to: <657713855E75BA41B16662DF0F1B6BDF28229D@UM-EMAIL06.um.umsystem.edu>
>>> Anyone have any comments regarding legitimate
>>> uses of this syntax and Microsoft removing it
>>> from their browser? (and presumably the OS since
>>> the browser IS the OS).
It always was a bad idea to put plaintext passwords in URLs because it
encouraged users to give away passwords in links on public Web pages. The
spoofing games were the second big problem with them that showed up later.
Glad to see Microsoft getting rid of the feature.
Richard
