Here's a summary of the responses I've received. 1) RFC2616 does not define the user:password@host scheme specifically for HTTP URL's. Though its use has been supported in most if not all popular browsers until now. 2) Other RFC's do define this scheme in general with the caveat that using this syntax can be a security risk (RFC2396). 3) The behavior can be disabled by setting appropriate registry keys (irrelevant to most users). 4) Disabling this syntax will possibly help protect the less technologically savvy from phishing scams. Points well taken. However: * If it was up to me, I would have simply fixed IE so that the full URL is displayed correctly for good or bad. * The phishing scams will continue regardless of this change. The biggest security hole sits between the keyboard and chair. * Using "Remember my password" as a work-around is NOT good security. * Using cookies for authentication is problematic. Many people turn them off and you can't cross domains with them (well you aren't supposed to be able to). In general, most responders (on and off the list) agree that this change will break some apps, but that it is still a good idea. Andy
