Re: Minimal Authorization

Terry Winograd (
Mon, 15 Aug 1994 10:04:24 -0800

At 11:39 AM 8/13/94, Stephen D Crocker wrote:
> I don't know of applications where it makes
>sense to have passwords but doesn't matter if the passwords are
>disclosed to unauthorized people as they're sent over the network. I
>suppose there might be such applications, but I don't know of any.

I'll give an example we're doing now. We're putting up a set of web pages
describing HCI programs at universities around the world. Read access will
be open. Write access, using forms, will be controlled by a simple
password (per institution, sent in a field in the update form) so that
people can update the entries for their own institutions. Since the update
is on a per-entry basis (the form you get back when you click the "edit"
button is for the page on which you found it) it isn't convenient to do
this by simply having a separate (unadvertised) space of URLs for updating.

This amount of security means that a random student logging on to look
around the set of pages won't be able to change a page just out of
curiosity to see what happens. Anybody who is going to bother with putting
a sniffer on the net is going to have better things to do than to put
graffiti on course descriptions, and if they do the worse that happens is
somebody looks foolish until they discover it and correct it.