Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #67504

Re: Password validation security issue

References (5 earlier) <CAPTjJmra0AjHYjk3G+2mSgsewpX0qcmcKpQtqnebHXsQfT2YqQ@mail.gmail.com> <mailman.7592.1393788339.18130.python-list@python.org> <roy-5B94F1.15010902032014@news.panix.com> <5313d7fe$0$29985$c3e8da3$5496439d@news.astraweb.com> <CALwzidmTaS5QgeQcAbuU8T5e4Hp=u3e97z5vNKrUe24GysCSCg@mail.gmail.com>
Date 2014-03-03 13:56 +1100
Subject Re: Password validation security issue
From Chris Angelico <rosuav@gmail.com>
Newsgroups comp.lang.python
Message-ID <mailman.7619.1393815421.18130.python-list@python.org> (permalink)

Show all headers | View raw

On Mon, Mar 3, 2014 at 12:52 PM, Ian Kelly <ian.g.kelly@gmail.com> wrote:
> On Sun, Mar 2, 2014 at 6:16 PM, Steven D'Aprano
> <steve+comp.lang.python@pearwood.info> wrote:
>> People have managed physical keys for *centuries*. Yes, there are a class
>> of threats where you lose your key, or someone steals it, or makes a
>> copy, but the risks are well-understood and can be managed even by your
>> grandmother. We have good solutions for those problems that work well,
>> and many of them apply just as well to sticky notes with secure passwords
>> written on them.
>
> I don't know how well the analogy holds up.  People protect their
> keys, because a) if they lose them, they can't get into their house or
> business, and b) if they're stolen, somebody else could gain access
> and steal expensive items from them.  People are less likely to
> protect their sticky notes, because a) nobody is going to steal a
> piece of paper, and b) if it does go missing, the IT guy is just one
> phone call away, and c) who would want to break into my desktop
> anyway? I don't have any trade secrets in there.

The greatest threats these days are from the network, not from someone
physically walking into an office. (That said, though, the low-hanging
fruit from walking into an office can be *extremely* tempting. Pulling
off a basic password leech off sticky notes is often so easy that it
can be done as a visitor, or at least as a pizza deliveryman.)
Ultimately, any network-accessible resource is protected by some
system of credentials that can be guessed; the only question is how
hard it is to guess. Any scheme to steal the password has to be easier
than guessing, or it's not worth it. Breaking a salted SHA-256 versus
XKCD 538 password cracking? Take your pick, but guessing a
six-character password beats both (being quicker than the one and more
subtle than the other).

Maybe salted SHA-256 isn't perfect, but it's certainly (a) a lot
better than plain text, unsalted hashes, or salted MD5, and (b) good
enough to raise the cracking of the hash above a lot of other
infiltration techniques.

ChrisA

Back to comp.lang.python | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

Password validation security issue Renato <rvernucio@gmail.com> - 2014-03-01 09:49 -0800
  Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 05:11 +1100
  Re: Password validation security issue Christian Heimes <christian@python.org> - 2014-03-01 19:31 +0100
  Re: Password validation security issue Tim Chase <python.list@tim.thechases.com> - 2014-03-01 12:38 -0600
  Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 05:43 +1100
  Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 05:45 +1100
  Re: Password validation security issue Christian Heimes <christian@python.org> - 2014-03-01 20:54 +0100
    Re: Password validation security issue Roy Smith <roy@panix.com> - 2014-03-01 15:25 -0500
      Re: Password validation security issue Christian Heimes <christian@python.org> - 2014-03-01 23:07 +0100
      Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 09:13 +1100
  Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 07:11 +1100
  Re: Password validation security issue Christian Heimes <christian@python.org> - 2014-03-02 20:25 +0100
    Re: Password validation security issue Roy Smith <roy@panix.com> - 2014-03-02 15:01 -0500
      Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-03 07:32 +1100
      Re: Password validation security issue Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-03-03 01:16 +0000
        Re: Password validation security issue Ian Kelly <ian.g.kelly@gmail.com> - 2014-03-02 18:52 -0700
          Re: Password validation security issue Steven D'Aprano <steve@pearwood.info> - 2014-03-03 04:38 +0000
            Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-03 16:44 +1100
            Re: Password validation security issue Ian Kelly <ian.g.kelly@gmail.com> - 2014-03-02 23:50 -0700
        Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-03 13:56 +1100
          Re: Password validation security issue Roy Smith <roy@panix.com> - 2014-03-03 08:41 -0500
            Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-04 00:55 +1100
              Re: Password validation security issue Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-03-03 16:46 +0000
                Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-04 05:46 +1100
            Re: Password validation security issue MRAB <python@mrabarnett.plus.com> - 2014-03-03 16:29 +0000
            Re: Password validation security issue Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-03-03 17:41 +0000
  Re: Password validation security issue Renato <rvernucio@gmail.com> - 2014-03-02 15:10 -0800
    Re: Password validation security issue Ian Kelly <ian.g.kelly@gmail.com> - 2014-03-02 18:49 -0700
    Re: Password validation security issue Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-03-03 02:30 +0000

csiph-web