[Standards] Account Management protoXEP

Alexander Holler holler at ahsoftware.de
Wed Sep 21 19:03:04 UTC 2011


Am 21.09.2011 20:10, schrieb Remko Tronçon:

> Putting account management in ad-hoc commands means that we don't
> expect clients to have a "Change password" button, but instead go
> through the server provided "Change account settings" dialog. It takes
> away power from the client (it won't be able to add fancy things like
> password strength measurers), but it gives more power to the server to
> provide a UI (e.g. instructions) that fit it, and it saves client
> development time :-)

Hmm, that might add some security concerns when generalized fields (like 
text-private) are used for passwords.

I know, it's really hard to eleminate every occurence of the password 
from memory, but at least clients would have the ability to do whatever 
they think is needed to protected the (typed in and maybe stored) 
password from getting revealed.

Every time when password dialogs are mentioned I remember the time where 
it was possible to use a (windows-)tool e.g. to display the password in 
outlooks password dialog as clear text inbstead of * (long fixed) ;)

Regards,

Alexander




More information about the Standards mailing list