Monday, December 15, 2008

Avoiding Clear Text Passwords

Perform the following steps to avoid sending cleartext passwords over the network:

  • If possible, remove the need for a password at all by specifying ClientCredentialType=”Windows”, ClientCredentialType=”Certificate”, or a custom token that does not require a password.

  • If the user must enter a password, protect the password by specifying either to secure the channel or to secure the messages. Do not specify in the configuration as this will provide no communication security.

No comments:

Post a Comment