Path: csiph.com!usenet.pasdenom.info!news.albasani.net!feeder.erje.net!eu.feeder.erje.net!xlned.com!feeder5.xlned.com!newsfeed.xs4all.nl!newsfeed3.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.031 X-Spam-Evidence: '*H*': 0.94; '*S*': 0.00; 'cc:addr:python-list': 0.11; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'idiots,': 0.16; 'password,': 0.16; 'recently.': 0.16; 'roy': 0.16; 'subject:Password': 0.16; 'subject:issue': 0.16; 'subject:security': 0.16; 'username.': 0.16; 'wrote:': 0.18; 'basically': 0.19; 'meant': 0.20; '(in': 0.22; 'cc:addr:python.org': 0.22; '"you': 0.24; 'tells': 0.24; 'text,': 0.24; 'mon,': 0.24; 'cc:2**0': 0.24; 'least': 0.26; 'header:In- Reply-To:1': 0.27; 'am,': 0.29; 'said,': 0.30; 'message- id:@mail.gmail.com': 0.30; 'that.': 0.31; 'plain': 0.33; 'received:google.com': 0.35; 'there': 0.35; 'passwords': 0.36; 'changed': 0.39; 'tell': 0.60; 'new': 0.61; 'back': 0.62; 'name': 0.63; 'account': 0.65; 'mar': 0.68; 'smith': 0.68; 'user,': 0.69; 'fortunately': 0.84; 'to:none': 0.92 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:cc :content-type; bh=NnvY/Kxv89unudoRyS+FMmJWx+LIym847lurltOtiao=; b=K/GnozkshNB+ztllSwUFtylCS7we8LH/VyLdQ2PRQRRP0fRP+ybT+7vx5eNpSoomjy i0n5Nr5NCsXksM1SlcH3109MtHqvk0XU3nk5eNl4lXXBZGzMscmhxh+iOLn/HuRUABfO xT/89JOkoVFlp558p0ftRmv6Ez9gvpakSBuJrjvAtoEJ0vCgHPScDiTVjxPebhuG0F31 /LYDIFKfSWRU/zzijdaqTh5dsj35wxNO0n1dp0LXATvfZkXxckYc/6cFEzqfDpdMKnGF 2yLAixFH67utvwhil6yOmDavyZsA7f7RO01t/23ZJ8039s2wzM/uHDcC6LOLwpzVJ5Lc KtxQ== MIME-Version: 1.0 X-Received: by 10.68.190.163 with SMTP id gr3mr15643837pbc.103.1393792336557; Sun, 02 Mar 2014 12:32:16 -0800 (PST) In-Reply-To: References: <09f43567-779e-4d01-8621-c4eb36354d99@googlegroups.com> Date: Mon, 3 Mar 2014 07:32:16 +1100 Subject: Re: Password validation security issue From: Chris Angelico Cc: "python-list@python.org" Content-Type: text/plain; charset=UTF-8 X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Newsgroups: comp.lang.python Message-ID: Lines: 13 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1393792345 news.xs4all.nl 2955 [2001:888:2000:d::a6]:33931 X-Complaints-To: abuse@xs4all.nl Xref: csiph.com comp.lang.python:67466 On Mon, Mar 3, 2014 at 7:01 AM, Roy Smith wrote: > We recently got a frothing email from a user, which basically said, "You > farking idiots, you emailed me my password in plain text!" It turns > out, his user name was the same as his password and what we had sent him > (in response to an account recovery query) was his username. Sadly, there *are* systems that will actually email passwords in plain text, and don't tell you so beforehand (Mailman at least tells you that the password isn't meant for security). I met one recently. Did not appreciate that. Fortunately when I changed my password, the new password wasn't emailed back to me. ChrisA