Open NH-Jedi opened 7 years ago
digitalstandard-bot
commented
7 years ago Thank you for helping shape the Digital Standard. Addressing privacy, security, and data issues in the marketplace requires a community-driven response.
The partners meet once every 3 months to review pull requests. The next meeting is scheduled for mid-May.
Thanks again!
taliesan
commented
7 years ago Mudge/Sarah... Thoughts?
citl-s
commented
7 years ago I think this is one that's very applicable to some products, and not at all to others. We have a fair number of testing indicators that are only applicable to a subset of products - we deal with that by changing the weighting of the different elements we test for based on the product vertical. So, in cases where we don't think user authentication is necessary, we could just assign a 0 weight to this item. It is extremely relevant in some cases, though, so I think it should still be included.
The only possible change is if you thought it should talk more generally about user identity/authentication. We worded the high level criteria to be as understandable to a layperson as possible, and passwords are something everyone is familiar with.
NH-Jedi
commented
7 years ago Actually, discounting the password issue where it is not as important is not a good approach. Many sites decide they need "password" protection of users (which really is just confirmation of user identity for marketing purposes) .... by forcing users to use passwords, the create a culture of password abuse ... this is reflected in many ways. Folks use the same password everywhere (which is fine for these "noise" sites, but problematic when it is used to protect real data). Folks make lists of passwords that are readily disclosed/discovered -- again not an issue for noise sites, but more of a problem for real ones. Finally, folks become numb to the real reasons for passwords, forcing serious sites into secondary and deeper levels of protection. A simple example is the movement of Social Security to require two phase identification ... expecting older folks to have smart phones that can be used to confirm their login credentials, and/or expecting folks to have access to the phone at the same time they have internet access (not easy in rural settings)
so, some pro-active statements about passwords would be useful. For example, downgrading a site for requiring a password when none is really needed. (And I might point out with web-bugs, persistant cookies, etc. ) identification of a person sufficient for most purposes does not even require a login) Best wishes Jim
Jim Isaak
www.JimIsaak.com
On Wed, May 24, 2017 at 1:31 PM, citl-s notifications@github.com wrote:
I think this is one that's very applicable to some products, and not at all to others. We have a fair number of testing indicators that are only applicable to a subset of products - we deal with that by changing the weighting of the different elements we test for based on the product vertical. So, in cases where we don't think user authentication is necessary, we could just assign a 0 weight to this item. It is extremely relevant in some cases, though, so I think it should still be included.
The only possible change is if you thought it should talk more generally about user identity/authentication. We worded the high level criteria to be as understandable to a layperson as possible, and passwords are something everyone is familiar with.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/TheDigitalStandard/TheDigitalStandard/issues/31#issuecomment-303827854, or mute the thread https://github.com/notifications/unsubscribe-auth/AbE0WLFUz06qNdI2IUx37HTKwscSOxTSks5r9IWkgaJpZM4NQlLk .
royapakzad
commented
7 years ago Keeping in mind that online users might prefer to use Passphrase instead of Password, one indicator could be if the product/service/app lets you set a passphrase? Most products don't let you choose more than 10 characters long password.
The first issue with passwords is "why is a password required?" .. or more generally, "why do we need your identity and confirmation of that identity?" ... a significant number of password protected identities are not for user protection but for corporate marketing. Clearly some interactions have financial, health or personal data exposure that warrants protection. But most do not. Let's be specific with respect to Consumer Reports (the magazine) ... identify/password are used to prevent non-subscribers from accessing the publication, or from someone redirecting my subscription to their address, or to keep someone from paying my bill. None of these actually require significant protection -- either for CU or for the consumer. Access to my bank account is a different story. But forcing users to identify and authenticate is the first step on the road to lost identity and privacy. One evaluation factor is "is identity here needed?"