Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!news.mixmin.net!feeds.phibee-telecom.net!newsfeed.xs4all.nl!newsfeed4a.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.143 X-Spam-Level: * X-Spam-Evidence: '*H*': 0.71; '*S*': 0.00; '(b)': 0.07; 'keys,': 0.09; 'subtle': 0.09; 'cc:addr:python-list': 0.11; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'fruit': 0.16; 'guess.': 0.16; 'guessing': 0.16; 'pizza': 0.16; 'pulling': 0.16; 'subject:Password': 0.16; 'subject:issue': 0.16; 'subject:security': 0.16; 'wrote:': 0.18; 'written': 0.21; 'network,': 0.22; 'cc:addr:python.org': 0.22; '(a)': 0.24; 'certainly': 0.24; 'text,': 0.24; 'mon,': 0.24; 'question': 0.24; 'cc:2**0': 0.24; 'holds': 0.26; 'least': 0.26; 'header:In-Reply- To:1': 0.27; 'raise': 0.29; 'said,': 0.30; 'message- id:@mail.gmail.com': 0.30; 'easier': 0.31; 'breaking': 0.31; 'credentials': 0.31; "d'aprano": 0.31; 'keys': 0.31; 'piece': 0.31; 'steven': 0.31; 'class': 0.32; 'there.': 0.32; 'up.': 0.33; 'plain': 0.33; 'maybe': 0.34; 'could': 0.34; 'basic': 0.35; "can't": 0.35; 'but': 0.35; 'received:google.com': 0.35; 'there': 0.35; 'passwords': 0.36; 'scheme': 0.36; 'done': 0.36; 'problems': 0.38; 'somebody': 0.38; 'pm,': 0.38; 'resource': 0.38; 'does': 0.39; 'expensive': 0.39; 'though,': 0.39; 'enough': 0.39; 'how': 0.40; 'days': 0.60; 'even': 0.60; 'easy': 0.60; 'office': 0.60; 'greatest': 0.60; 'guy': 0.60; 'ian': 0.60; 'break': 0.61; 'skip:n 10': 0.64; 'more': 0.64; '(that': 0.65; 'phone': 0.66; 'worth': 0.66; 'mar': 0.68; 'lose': 0.68; 'nobody': 0.68; 'secure': 0.71; 'physical': 0.72; 'gain': 0.79; 'protect': 0.79; 'business,': 0.83; 'beats': 0.84; 'quicker': 0.84; 'threats': 0.84; 'walking': 0.91; 'to:none': 0.92; 'secrets': 0.93 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:cc :content-type; bh=wxPF76d6Qnk/1Cjf69SMtZY4lPQymXiHfasVp+SK9I0=; b=scqLW8HP0SRb2QZb8jZoB9+MnCaSUPK18uZ9auIalLrzDa9gT9WkG3qKu5CiJeH8Qv Zb/33mIxTSRvvoR+P75aYLQ54BoggnT+F2glCheTAtmgzsKWv9/m5xgleRzyUSRUMLFH Yiwc7JfikM3UUyWgsqN7JH2AAQbvmtOHpfWBFtBpwLOkKP1LkSBouA6GI2lh8KWvCgQM aAUBsgNG7CD1hZeXohN5rl+W9t/EdMBaK+1Qyqowr94+RMz4G/YMn3MtVIVY3o4CjBT+ o+QOdUi2frpGd0EF/kSqI71Q2R70D9fgLzqZImhP+MG7h2gTajA1Lea02QiTwXIML/1i 53AQ== MIME-Version: 1.0 X-Received: by 10.68.247.6 with SMTP id ya6mr16817718pbc.45.1393815418536; Sun, 02 Mar 2014 18:56:58 -0800 (PST) In-Reply-To: References: <09f43567-779e-4d01-8621-c4eb36354d99@googlegroups.com> <5313d7fe$0$29985$c3e8da3$5496439d@news.astraweb.com> Date: Mon, 3 Mar 2014 13:56:58 +1100 Subject: Re: Password validation security issue From: Chris Angelico Cc: Python Content-Type: text/plain; charset=UTF-8 X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Newsgroups: comp.lang.python Message-ID: Lines: 38 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1393815421 news.xs4all.nl 2837 [2001:888:2000:d::a6]:35848 X-Complaints-To: abuse@xs4all.nl Xref: csiph.com comp.lang.python:67504 On Mon, Mar 3, 2014 at 12:52 PM, Ian Kelly wrote: > On Sun, Mar 2, 2014 at 6:16 PM, Steven D'Aprano > wrote: >> People have managed physical keys for *centuries*. Yes, there are a class >> of threats where you lose your key, or someone steals it, or makes a >> copy, but the risks are well-understood and can be managed even by your >> grandmother. We have good solutions for those problems that work well, >> and many of them apply just as well to sticky notes with secure passwords >> written on them. > > I don't know how well the analogy holds up. People protect their > keys, because a) if they lose them, they can't get into their house or > business, and b) if they're stolen, somebody else could gain access > and steal expensive items from them. People are less likely to > protect their sticky notes, because a) nobody is going to steal a > piece of paper, and b) if it does go missing, the IT guy is just one > phone call away, and c) who would want to break into my desktop > anyway? I don't have any trade secrets in there. The greatest threats these days are from the network, not from someone physically walking into an office. (That said, though, the low-hanging fruit from walking into an office can be *extremely* tempting. Pulling off a basic password leech off sticky notes is often so easy that it can be done as a visitor, or at least as a pizza deliveryman.) Ultimately, any network-accessible resource is protected by some system of credentials that can be guessed; the only question is how hard it is to guess. Any scheme to steal the password has to be easier than guessing, or it's not worth it. Breaking a salted SHA-256 versus XKCD 538 password cracking? Take your pick, but guessing a six-character password beats both (being quicker than the one and more subtle than the other). Maybe salted SHA-256 isn't perfect, but it's certainly (a) a lot better than plain text, unsalted hashes, or salted MD5, and (b) good enough to raise the cracking of the hash above a lot of other infiltration techniques. ChrisA