Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #67504

Re: Password validation security issue

Path csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!news.mixmin.net!feeds.phibee-telecom.net!newsfeed.xs4all.nl!newsfeed4a.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail
Return-Path <rosuav@gmail.com>
X-Original-To python-list@python.org
Delivered-To python-list@mail.python.org
X-Spam-Status OK 0.143
X-Spam-Level *
X-Spam-Evidence '*H*': 0.71; '*S*': 0.00; '(b)': 0.07; 'keys,': 0.09; 'subtle': 0.09; 'cc:addr:python-list': 0.11; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'fruit': 0.16; 'guess.': 0.16; 'guessing': 0.16; 'pizza': 0.16; 'pulling': 0.16; 'subject:Password': 0.16; 'subject:issue': 0.16; 'subject:security': 0.16; 'wrote:': 0.18; 'written': 0.21; 'network,': 0.22; 'cc:addr:python.org': 0.22; '(a)': 0.24; 'certainly': 0.24; 'text,': 0.24; 'mon,': 0.24; 'question': 0.24; 'cc:2**0': 0.24; 'holds': 0.26; 'least': 0.26; 'header:In-Reply- To:1': 0.27; 'raise': 0.29; 'said,': 0.30; 'message- id:@mail.gmail.com': 0.30; 'easier': 0.31; 'breaking': 0.31; 'credentials': 0.31; "d'aprano": 0.31; 'keys': 0.31; 'piece': 0.31; 'steven': 0.31; 'class': 0.32; 'there.': 0.32; 'up.': 0.33; 'plain': 0.33; 'maybe': 0.34; 'could': 0.34; 'basic': 0.35; "can't": 0.35; 'but': 0.35; 'received:google.com': 0.35; 'there': 0.35; 'passwords': 0.36; 'scheme': 0.36; 'done': 0.36; 'problems': 0.38; 'somebody': 0.38; 'pm,': 0.38; 'resource': 0.38; 'does': 0.39; 'expensive': 0.39; 'though,': 0.39; 'enough': 0.39; 'how': 0.40; 'days': 0.60; 'even': 0.60; 'easy': 0.60; 'office': 0.60; 'greatest': 0.60; 'guy': 0.60; 'ian': 0.60; 'break': 0.61; 'skip:n 10': 0.64; 'more': 0.64; '(that': 0.65; 'phone': 0.66; 'worth': 0.66; 'mar': 0.68; 'lose': 0.68; 'nobody': 0.68; 'secure': 0.71; 'physical': 0.72; 'gain': 0.79; 'protect': 0.79; 'business,': 0.83; 'beats': 0.84; 'quicker': 0.84; 'threats': 0.84; 'walking': 0.91; 'to:none': 0.92; 'secrets': 0.93
DKIM-Signature v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:cc :content-type; bh=wxPF76d6Qnk/1Cjf69SMtZY4lPQymXiHfasVp+SK9I0=; b=scqLW8HP0SRb2QZb8jZoB9+MnCaSUPK18uZ9auIalLrzDa9gT9WkG3qKu5CiJeH8Qv Zb/33mIxTSRvvoR+P75aYLQ54BoggnT+F2glCheTAtmgzsKWv9/m5xgleRzyUSRUMLFH Yiwc7JfikM3UUyWgsqN7JH2AAQbvmtOHpfWBFtBpwLOkKP1LkSBouA6GI2lh8KWvCgQM aAUBsgNG7CD1hZeXohN5rl+W9t/EdMBaK+1Qyqowr94+RMz4G/YMn3MtVIVY3o4CjBT+ o+QOdUi2frpGd0EF/kSqI71Q2R70D9fgLzqZImhP+MG7h2gTajA1Lea02QiTwXIML/1i 53AQ==
MIME-Version 1.0
X-Received by 10.68.247.6 with SMTP id ya6mr16817718pbc.45.1393815418536; Sun, 02 Mar 2014 18:56:58 -0800 (PST)
In-Reply-To <CALwzidmTaS5QgeQcAbuU8T5e4Hp=u3e97z5vNKrUe24GysCSCg@mail.gmail.com>
References <09f43567-779e-4d01-8621-c4eb36354d99@googlegroups.com> <CAPTjJmqCTLqXgmHMm2QGYJB1MmYEnhMV3OGe0jPc_UOoUQ9gQA@mail.gmail.com> <let920$fmn$1@ger.gmane.org> <CAPTjJmq0MYQugUnsL52ZN0um=V3iABHmM4+vsffD=+2YV7t=MA@mail.gmail.com> <letdt5$1g3$1@ger.gmane.org> <CAPTjJmra0AjHYjk3G+2mSgsewpX0qcmcKpQtqnebHXsQfT2YqQ@mail.gmail.com> <mailman.7592.1393788339.18130.python-list@python.org> <roy-5B94F1.15010902032014@news.panix.com> <5313d7fe$0$29985$c3e8da3$5496439d@news.astraweb.com> <CALwzidmTaS5QgeQcAbuU8T5e4Hp=u3e97z5vNKrUe24GysCSCg@mail.gmail.com>
Date Mon, 3 Mar 2014 13:56:58 +1100
Subject Re: Password validation security issue
From Chris Angelico <rosuav@gmail.com>
Cc Python <python-list@python.org>
Content-Type text/plain; charset=UTF-8
X-BeenThere python-list@python.org
X-Mailman-Version 2.1.15
Precedence list
List-Id General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive <http://mail.python.org/pipermail/python-list/>
List-Post <mailto:python-list@python.org>
List-Help <mailto:python-list-request@python.org?subject=help>
List-Subscribe <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups comp.lang.python
Message-ID <mailman.7619.1393815421.18130.python-list@python.org> (permalink)
Lines 38
NNTP-Posting-Host 2001:888:2000:d::a6
X-Trace 1393815421 news.xs4all.nl 2837 [2001:888:2000:d::a6]:35848
X-Complaints-To abuse@xs4all.nl
Xref csiph.com comp.lang.python:67504

Show key headers only | View raw

On Mon, Mar 3, 2014 at 12:52 PM, Ian Kelly <ian.g.kelly@gmail.com> wrote:
> On Sun, Mar 2, 2014 at 6:16 PM, Steven D'Aprano
> <steve+comp.lang.python@pearwood.info> wrote:
>> People have managed physical keys for *centuries*. Yes, there are a class
>> of threats where you lose your key, or someone steals it, or makes a
>> copy, but the risks are well-understood and can be managed even by your
>> grandmother. We have good solutions for those problems that work well,
>> and many of them apply just as well to sticky notes with secure passwords
>> written on them.
>
> I don't know how well the analogy holds up.  People protect their
> keys, because a) if they lose them, they can't get into their house or
> business, and b) if they're stolen, somebody else could gain access
> and steal expensive items from them.  People are less likely to
> protect their sticky notes, because a) nobody is going to steal a
> piece of paper, and b) if it does go missing, the IT guy is just one
> phone call away, and c) who would want to break into my desktop
> anyway? I don't have any trade secrets in there.

The greatest threats these days are from the network, not from someone
physically walking into an office. (That said, though, the low-hanging
fruit from walking into an office can be *extremely* tempting. Pulling
off a basic password leech off sticky notes is often so easy that it
can be done as a visitor, or at least as a pizza deliveryman.)
Ultimately, any network-accessible resource is protected by some
system of credentials that can be guessed; the only question is how
hard it is to guess. Any scheme to steal the password has to be easier
than guessing, or it's not worth it. Breaking a salted SHA-256 versus
XKCD 538 password cracking? Take your pick, but guessing a
six-character password beats both (being quicker than the one and more
subtle than the other).

Maybe salted SHA-256 isn't perfect, but it's certainly (a) a lot
better than plain text, unsalted hashes, or salted MD5, and (b) good
enough to raise the cracking of the hash above a lot of other
infiltration techniques.

ChrisA

Back to comp.lang.python | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

Password validation security issue Renato <rvernucio@gmail.com> - 2014-03-01 09:49 -0800
  Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 05:11 +1100
  Re: Password validation security issue Christian Heimes <christian@python.org> - 2014-03-01 19:31 +0100
  Re: Password validation security issue Tim Chase <python.list@tim.thechases.com> - 2014-03-01 12:38 -0600
  Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 05:43 +1100
  Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 05:45 +1100
  Re: Password validation security issue Christian Heimes <christian@python.org> - 2014-03-01 20:54 +0100
    Re: Password validation security issue Roy Smith <roy@panix.com> - 2014-03-01 15:25 -0500
      Re: Password validation security issue Christian Heimes <christian@python.org> - 2014-03-01 23:07 +0100
      Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 09:13 +1100
  Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 07:11 +1100
  Re: Password validation security issue Christian Heimes <christian@python.org> - 2014-03-02 20:25 +0100
    Re: Password validation security issue Roy Smith <roy@panix.com> - 2014-03-02 15:01 -0500
      Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-03 07:32 +1100
      Re: Password validation security issue Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-03-03 01:16 +0000
        Re: Password validation security issue Ian Kelly <ian.g.kelly@gmail.com> - 2014-03-02 18:52 -0700
          Re: Password validation security issue Steven D'Aprano <steve@pearwood.info> - 2014-03-03 04:38 +0000
            Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-03 16:44 +1100
            Re: Password validation security issue Ian Kelly <ian.g.kelly@gmail.com> - 2014-03-02 23:50 -0700
        Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-03 13:56 +1100
          Re: Password validation security issue Roy Smith <roy@panix.com> - 2014-03-03 08:41 -0500
            Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-04 00:55 +1100
              Re: Password validation security issue Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-03-03 16:46 +0000
                Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-04 05:46 +1100
            Re: Password validation security issue MRAB <python@mrabarnett.plus.com> - 2014-03-03 16:29 +0000
            Re: Password validation security issue Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-03-03 17:41 +0000
  Re: Password validation security issue Renato <rvernucio@gmail.com> - 2014-03-02 15:10 -0800
    Re: Password validation security issue Ian Kelly <ian.g.kelly@gmail.com> - 2014-03-02 18:49 -0700
    Re: Password validation security issue Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-03-03 02:30 +0000

csiph-web