Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!news.mixmin.net!feeds.phibee-telecom.net!newsfeed.xs4all.nl!newsfeed3a.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: UNSURE 0.313 X-Spam-Level: *** X-Spam-Evidence: '*H*': 0.39; '*S*': 0.01; 'keys,': 0.09; 'subject:Password': 0.16; 'subject:issue': 0.16; 'subject:security': 0.16; 'wrote:': 0.18; 'written': 0.21; 'holds': 0.26; 'header:In-Reply-To:1': 0.27; 'message- id:@mail.gmail.com': 0.30; "d'aprano": 0.31; 'keys': 0.31; 'piece': 0.31; 'steven': 0.31; 'class': 0.32; 'there.': 0.32; 'up.': 0.33; 'could': 0.34; "can't": 0.35; 'but': 0.35; 'received:google.com': 0.35; 'there': 0.35; 'passwords': 0.36; 'problems': 0.38; 'somebody': 0.38; 'to:addr:python-list': 0.38; 'pm,': 0.38; 'does': 0.39; 'expensive': 0.39; 'to:addr:python.org': 0.39; 'how': 0.40; 'even': 0.60; 'guy': 0.60; 'break': 0.61; 'phone': 0.66; 'mar': 0.68; 'lose': 0.68; 'nobody': 0.68; 'secure': 0.71; 'physical': 0.72; 'gain': 0.79; 'protect': 0.79; 'business,': 0.83; 'threats': 0.84; 'secrets': 0.93 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=hPulE1pLl95963vbGGDQmEijAhBzoWo3FugMl53i+oM=; b=YBqHYumivqFr38uxmKtKt9Is2dHW9GT2HHFNzfe9Br/9/NsRyXi/sYX2pnExrIYzkA Lvb3AAr+VWE/cA6UxAyGnXNXKf7Z2WDNlnw+ma48ktQUpNeyNLr833WFWreBVlalujT9 NwoC1gQEKbKNfq+blyCGVq1ucYdZaG5+6lFQke6Z6QxTJFKnbpIi5bsTEkEV38m4uOhS ghz4M71CEus9FPMMoK0B0twq+K9Y2rHhIlZ6q3WcVv+VHKzAuyO126WBWKXgBZ4JABCH Y+38YNXfOPRZFKRZeTJr76jK07tMisvByTaULtUahKTJ+/d9aL97JOv5COSQAQEplBji 9bEQ== X-Received: by 10.66.171.76 with SMTP id as12mr16910118pac.52.1393811600713; Sun, 02 Mar 2014 17:53:20 -0800 (PST) MIME-Version: 1.0 In-Reply-To: <5313d7fe$0$29985$c3e8da3$5496439d@news.astraweb.com> References: <09f43567-779e-4d01-8621-c4eb36354d99@googlegroups.com> <5313d7fe$0$29985$c3e8da3$5496439d@news.astraweb.com> From: Ian Kelly Date: Sun, 2 Mar 2014 18:52:40 -0700 Subject: Re: Password validation security issue To: Python Content-Type: text/plain; charset=ISO-8859-1 X-Mailman-Approved-At: Mon, 03 Mar 2014 03:37:24 +0100 X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Newsgroups: comp.lang.python Message-ID: Lines: 17 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1393814245 news.xs4all.nl 2839 [2001:888:2000:d::a6]:59078 X-Complaints-To: abuse@xs4all.nl Xref: csiph.com comp.lang.python:67503 On Sun, Mar 2, 2014 at 6:16 PM, Steven D'Aprano wrote: > People have managed physical keys for *centuries*. Yes, there are a class > of threats where you lose your key, or someone steals it, or makes a > copy, but the risks are well-understood and can be managed even by your > grandmother. We have good solutions for those problems that work well, > and many of them apply just as well to sticky notes with secure passwords > written on them. I don't know how well the analogy holds up. People protect their keys, because a) if they lose them, they can't get into their house or business, and b) if they're stolen, somebody else could gain access and steal expensive items from them. People are less likely to protect their sticky notes, because a) nobody is going to steal a piece of paper, and b) if it does go missing, the IT guy is just one phone call away, and c) who would want to break into my desktop anyway? I don't have any trade secrets in there.