Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #67510

Re: Password validation security issue

Path csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!goblin1!goblin2!goblin.stu.neva.ru!newsfeed.xs4all.nl!newsfeed3.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail
Return-Path <rosuav@gmail.com>
X-Original-To python-list@python.org
Delivered-To python-list@mail.python.org
X-Spam-Status OK 0.121
X-Spam-Level *
X-Spam-Evidence '*H*': 0.76; '*S*': 0.00; 'causing': 0.04; 'argument': 0.05; '(b)': 0.07; 'string': 0.09; 'caller': 0.09; 'password)': 0.09; 'security.': 0.09; 'stealing': 0.09; 'year?': 0.09; 'cc:addr:python-list': 0.11; 'file"': 0.16; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'no...': 0.16; 'password,': 0.16; 'really?': 0.16; 'sadly': 0.16; 'scare': 0.16; 'sensitivity.': 0.16; 'subject:Password': 0.16; 'subject:issue': 0.16; 'subject:security': 0.16; 'worst': 0.16; 'all.': 0.16; 'wrote:': 0.18; 'pieces': 0.19; 'putting': 0.22; 'cc:addr:python.org': 0.22; '(a)': 0.24; 'mon,': 0.24; '(or': 0.24; 'cc:2**0': 0.24; "i've": 0.25; 'nearly': 0.26; 'second': 0.26; 'gets': 0.27; 'header:In-Reply-To:1': 0.27; 'point': 0.28; '(c)': 0.29; '[1]': 0.29; 'character': 0.29; 'possibility': 0.29; 'words': 0.29; 'characters': 0.30; 'sets': 0.30; 'message- id:@mail.gmail.com': 0.30; 'membership': 0.31; 'url:wiki': 0.31; '50,': 0.31; 'card,': 0.31; "d'aprano": 0.31; 'invoke': 0.31; 'steven': 0.31; 'them?': 0.31; 'url:wikipedia': 0.31; 'anyone': 0.31; 'file': 0.32; 'figure': 0.32; 'quite': 0.32; 'screen': 0.34; 'trouble': 0.34; 'could': 0.34; "can't": 0.35; 'anywhere': 0.35; 'connection': 0.35; 'but': 0.35; 'received:google.com': 0.35; 'passwords': 0.36; "didn't": 0.36; 'url:org': 0.36; 'should': 0.36; 'effort': 0.37; 'half': 0.37; 'two': 0.37; 'being': 0.38; 'branch': 0.38; 'depends': 0.38; 'filled': 0.38; 'pm,': 0.38; 'that,': 0.38; 'anything': 0.39; 'explain': 0.39; 'does': 0.39; 'itself': 0.39; 'support,': 0.39; 'users': 0.40; 'even': 0.60; 'course.': 0.60; 'guy': 0.60; 'letters': 0.60; 'problems.': 0.60; 'most': 0.60; 'length': 0.61; 'took': 0.61; "you're": 0.61; 'first': 0.61; 'back': 0.62; "you'll": 0.62; 'show': 0.63; 'contacting': 0.63; 'card': 0.63; 'maximum': 0.63; 'refer': 0.63; 'more': 0.64; 'different': 0.65; 'account': 0.65; 'phone': 0.66; 'hours': 0.66; 'mar': 0.68; 'lose': 0.68; 'store,': 0.68; 'wish': 0.70; 'secure': 0.71; 'therefore': 0.72; 'money': 0.72; 'paper': 0.75; 'bank': 0.76; 'photo': 0.78; 'agent,': 0.84; 'battery': 0.84; 'people;': 0.84; 'plastic': 0.84; 'regularly.': 0.84; 'remembering': 0.84; 'dozen': 0.91; 'encrypted': 0.91; 'favour': 0.91; 'passwords,': 0.91; 'to:none': 0.92; 'imagine': 0.93; 'lucky': 0.93
DKIM-Signature v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:cc :content-type; bh=2xu8+ER6NVK/+cHFZxN3CoPOPNpJd0uTIzOSz/30ODk=; b=FNAfw6fDGZyHrKR6wR3cVIemy5M7oSczRcbrDN+eWj9wRJIVwu1NuZhpUTB26V1k29 Y5Xd6B+xL+O61+jTKMeZy1FdrMBmhRJWYEyomTuJyHg4eOJhWm0BmOmjkDMl8F6WRGv9 NErQN6KYkHPyN7jvkHQ0vAGqSGiMizHcOKFFYsqtBs88aOvR3W8jViNR7LYHXNTvpA5A blceKjro9RK2XRCuyePMFGFFecAfg5NCJJCYsUJAj/BQz4P6covPaw0KPtNnPhl4zapo bW7QXjTZR0I9jN6kH0CajQCfNS+Dq7289NAlxLKHg34dEosJfO2iU2J6LUcm/uER/o1V jf0w==
MIME-Version 1.0
X-Received by 10.68.200.74 with SMTP id jq10mr138040pbc.169.1393825466681; Sun, 02 Mar 2014 21:44:26 -0800 (PST)
In-Reply-To <53140749$0$2923$c3e8da3$76491128@news.astraweb.com>
References <09f43567-779e-4d01-8621-c4eb36354d99@googlegroups.com> <CAPTjJmqCTLqXgmHMm2QGYJB1MmYEnhMV3OGe0jPc_UOoUQ9gQA@mail.gmail.com> <let920$fmn$1@ger.gmane.org> <CAPTjJmq0MYQugUnsL52ZN0um=V3iABHmM4+vsffD=+2YV7t=MA@mail.gmail.com> <letdt5$1g3$1@ger.gmane.org> <CAPTjJmra0AjHYjk3G+2mSgsewpX0qcmcKpQtqnebHXsQfT2YqQ@mail.gmail.com> <mailman.7592.1393788339.18130.python-list@python.org> <roy-5B94F1.15010902032014@news.panix.com> <5313d7fe$0$29985$c3e8da3$5496439d@news.astraweb.com> <mailman.7618.1393814245.18130.python-list@python.org> <53140749$0$2923$c3e8da3$76491128@news.astraweb.com>
Date Mon, 3 Mar 2014 16:44:26 +1100
Subject Re: Password validation security issue
From Chris Angelico <rosuav@gmail.com>
Cc "python-list@python.org" <python-list@python.org>
Content-Type text/plain; charset=UTF-8
X-BeenThere python-list@python.org
X-Mailman-Version 2.1.15
Precedence list
List-Id General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive <http://mail.python.org/pipermail/python-list/>
List-Post <mailto:python-list@python.org>
List-Help <mailto:python-list-request@python.org?subject=help>
List-Subscribe <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups comp.lang.python
Message-ID <mailman.7623.1393825470.18130.python-list@python.org> (permalink)
Lines 59
NNTP-Posting-Host 2001:888:2000:d::a6
X-Trace 1393825470 news.xs4all.nl 2897 [2001:888:2000:d::a6]:56439
X-Complaints-To abuse@xs4all.nl
Xref csiph.com comp.lang.python:67510

Show key headers only | View raw

On Mon, Mar 3, 2014 at 3:38 PM, Steven D'Aprano <steve@pearwood.info> wrote:
> Oh really? Chances are you're wallet is *full* of pieces of paper that
> people would steal, given half the chance.

Alas no... around here, wallets get filled with pieces of plastic [1],
of which my wallet is sadly devoid. And I can't imagine anyone putting
effort into stealing my Gilbert & Sullivan Society membership card,
nor my coupon card for a half-price watch battery replacement on
condition that I take it back to some place that I don't go anywhere
near any more... But don't let that detract from your point :D

>> and b) if it does go missing, the IT guy is just one phone call
>> away,
>
> Last time I had to call my bank to unlock my account, it took two phone
> calls and nearly three hours of elapsed time. And I was lucky I didn't
> have to physically go in to a branch and show photo ID.

That's about par for the course. Worst part of it is when you lose
your connection and have to (a) go right back to the end of the caller
queue, (b) get through to a different agent, and therefore (c) have to
start over with the whole identifying-yourself thing. I wish I could
invoke tmux or GNU Screen on arrival,and then just reconnect.

This is, perhaps, the best argument in favour of password security.
The thought that someone might steal your identity is so vague and
hard to comprehend that it won't scare people; the possibility of
someone stealing money is "Oh but my bank will keep me safe" (whether
or not that's true is quite tangential); but explain that forgetting
your password (or having someone else figure out your password) means
having to call support? *That* is an incentive.

> Having learned that, they're screwed: even in the (uncommon) case that
> their account will support a cryptographically strong passphrase, most
> people need a dozen or more different passwords and/or passphrases. (I
> have about 50, only a dozen of which I keep in my head.) Who is going to
> remember a 12 character high-entropy string for an account they only use
> once a year? Most people have trouble remembering four-digit PINs if they
> don't use them regularly.

What if you create XKCD 936 passwords, and then have one "master
password file" in which you store, for each password, four words that
are synonyms for the originals, plus the first letters of them?
(Obviously your master password file (a) never leaves your own
computer, and (b) should itself be encrypted with some secure
password, and treated with extreme sensitivity. But that gets around
the "once a year" problem, as you'll refer to this one file any time
you need to check any of your rare passwords.) As a second line of
defense before contacting support, it feels plausible, but I've never
actually had an opportunity to try it.

Of course, the whole concept depends on being able to use long
memorable passwords. Any system that sets a maximum password length of
anything less than about 30-40 characters is causing its users
problems. There's almost never any reason to set a maximum at all.

ChrisA

[1] http://en.wikipedia.org/wiki/Polymer_banknote

Back to comp.lang.python | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

Password validation security issue Renato <rvernucio@gmail.com> - 2014-03-01 09:49 -0800
  Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 05:11 +1100
  Re: Password validation security issue Christian Heimes <christian@python.org> - 2014-03-01 19:31 +0100
  Re: Password validation security issue Tim Chase <python.list@tim.thechases.com> - 2014-03-01 12:38 -0600
  Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 05:43 +1100
  Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 05:45 +1100
  Re: Password validation security issue Christian Heimes <christian@python.org> - 2014-03-01 20:54 +0100
    Re: Password validation security issue Roy Smith <roy@panix.com> - 2014-03-01 15:25 -0500
      Re: Password validation security issue Christian Heimes <christian@python.org> - 2014-03-01 23:07 +0100
      Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 09:13 +1100
  Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 07:11 +1100
  Re: Password validation security issue Christian Heimes <christian@python.org> - 2014-03-02 20:25 +0100
    Re: Password validation security issue Roy Smith <roy@panix.com> - 2014-03-02 15:01 -0500
      Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-03 07:32 +1100
      Re: Password validation security issue Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-03-03 01:16 +0000
        Re: Password validation security issue Ian Kelly <ian.g.kelly@gmail.com> - 2014-03-02 18:52 -0700
          Re: Password validation security issue Steven D'Aprano <steve@pearwood.info> - 2014-03-03 04:38 +0000
            Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-03 16:44 +1100
            Re: Password validation security issue Ian Kelly <ian.g.kelly@gmail.com> - 2014-03-02 23:50 -0700
        Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-03 13:56 +1100
          Re: Password validation security issue Roy Smith <roy@panix.com> - 2014-03-03 08:41 -0500
            Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-04 00:55 +1100
              Re: Password validation security issue Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-03-03 16:46 +0000
                Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-04 05:46 +1100
            Re: Password validation security issue MRAB <python@mrabarnett.plus.com> - 2014-03-03 16:29 +0000
            Re: Password validation security issue Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-03-03 17:41 +0000
  Re: Password validation security issue Renato <rvernucio@gmail.com> - 2014-03-02 15:10 -0800
    Re: Password validation security issue Ian Kelly <ian.g.kelly@gmail.com> - 2014-03-02 18:49 -0700
    Re: Password validation security issue Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-03-03 02:30 +0000

csiph-web