Path: csiph.com!usenet.pasdenom.info!weretis.net!feeder1.news.weretis.net!feeder.erje.net!eu.feeder.erje.net!xlned.com!feeder3.xlned.com!newsfeed.xs4all.nl!newsfeed1a.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail
Return-Path: <rosuav@gmail.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.138
X-Spam-Level: *
X-Spam-Evidence: '*H*': 0.73; '*S*': 0.00; 'considered,': 0.09; 'counting': 0.09; 'cc:addr:python-list': 0.11; '(visible': 0.16; 'alert': 0.16; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'password,': 0.16; 'roy': 0.16; 'rules.': 0.16; 'sorts': 0.16; 'subject:Password': 0.16; 'subject:issue': 0.16; 'subject:security': 0.16; 'wrote:': 0.18; 'reset': 0.22; 'separate': 0.22; 'cc:addr:python.org': 0.22; 'typical': 0.24; 'question': 0.24; 'cc:2**0': 0.24; 'least': 0.26; 'header:In- Reply-To:1': 0.27; 'am,': 0.29; 'message-id:@mail.gmail.com': 0.30; 'getting': 0.31; 'figure': 0.32; 'front': 0.32; 'could': 0.34; "can't": 0.35; 'beyond': 0.35; 'but': 0.35; 'received:google.com': 0.35; 'doing': 0.36; 'next': 0.36; 'employee': 0.37; 'two': 0.37; 'needed': 0.38; 'even': 0.60; 'company': 0.60; 'course.': 0.60; 'logs': 0.60; 'tell': 0.60; 'free': 0.61; 'desk': 0.61; 'new': 0.61; 'first': 0.61; 'mar': 0.68; 'nobody': 0.68; 'smith': 0.68; 'safe': 0.72; 'secret': 0.74; 'day': 0.76; 'truth': 0.81; '*and*': 0.84; 'boxes.': 0.84; "else's": 0.84; 'enforced': 0.84; 'to:none': 0.92; 'login.': 0.93
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:cc :content-type; bh=ooPfT/SeIibF1uVtUh98p8kjINsNnnzl5EG2nOTTD10=; b=taabJiU/sXBu4CuXd7UNjf3ClNtqi98gKOmsul9gDnnj1pkZAziw2ZgAY5wTJfWd03 8UMRHps+beuxHoMSsr5L9FKOWwM3zlBsF51BafayO/IOrLuRJ+RkITEj9TqG/PkW8sG2 LFVFXCkimDdALEhVlTGdj3pcXx2OUByL0Nvf4OvA1WdalxYJjkdF0hZzv25Pofz9vlLV LALabKRJuGWuuFSMSZDz+HOMyASkMVHqHGLW09tvTs3GW3/6/7rL8q4EiVq5K89AoWaj 4/fesSB0ds9/kySA2NvxDA3cRhzwjQfhC5QNailE6+fRBX+72SEqQdits2fg2P/1hNl9 873w==
MIME-Version: 1.0
X-Received: by 10.66.181.70 with SMTP id du6mr18738262pac.23.1393854945709; Mon, 03 Mar 2014 05:55:45 -0800 (PST)
In-Reply-To: <roy-759EB5.08411003032014@news.panix.com>
References: <09f43567-779e-4d01-8621-c4eb36354d99@googlegroups.com> <CAPTjJmqCTLqXgmHMm2QGYJB1MmYEnhMV3OGe0jPc_UOoUQ9gQA@mail.gmail.com> <let920$fmn$1@ger.gmane.org> <CAPTjJmq0MYQugUnsL52ZN0um=V3iABHmM4+vsffD=+2YV7t=MA@mail.gmail.com> <letdt5$1g3$1@ger.gmane.org> <CAPTjJmra0AjHYjk3G+2mSgsewpX0qcmcKpQtqnebHXsQfT2YqQ@mail.gmail.com> <mailman.7592.1393788339.18130.python-list@python.org> <roy-5B94F1.15010902032014@news.panix.com> <5313d7fe$0$29985$c3e8da3$5496439d@news.astraweb.com> <CALwzidmTaS5QgeQcAbuU8T5e4Hp=u3e97z5vNKrUe24GysCSCg@mail.gmail.com> <mailman.7619.1393815421.18130.python-list@python.org> <roy-759EB5.08411003032014@news.panix.com>
Date: Tue, 4 Mar 2014 00:55:45 +1100
Subject: Re: Password validation security issue
From: Chris Angelico <rosuav@gmail.com>
Cc: "python-list@python.org" <python-list@python.org>
Content-Type: text/plain; charset=UTF-8
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups: comp.lang.python
Message-ID: <mailman.7640.1393854948.18130.python-list@python.org>
Lines: 26
NNTP-Posting-Host: 2001:888:2000:d::a6
X-Trace: 1393854948 news.xs4all.nl 2973 [2001:888:2000:d::a6]:54095
X-Complaints-To: abuse@xs4all.nl
Xref: csiph.com comp.lang.python:67545

On Tue, Mar 4, 2014 at 12:41 AM, Roy Smith <roy@panix.com> wrote:
> I used to work at <big company> which had a typical big company IT
> department which enforced all sorts of annoying pseudo-security rules.
> As far as I could figure out, however, all you needed to get them to
> reset anybody's password and tell you the new one was to know their
> employee ID number (visible on the front of their ID badge), and to make
> the call from their desk phone.

Technically, that's a separate vulnerability. If you figure out
someone else's password, you can log in as that person and nobody is
any the wiser (bar detailed logs eg of IP addresses). Getting a
password reset will at least alert the person on their next login.
That may or may not be safe, of course. Doing a password reset at
4:30pm the day before someone goes away for two months might give you
free reign for that time *and* might not even arouse suspicions ("I
can't remember my password after the break, can you reset it
please?").

But it's an attack vector that MUST be considered, which is why I
never tell the truth in any "secret question / secret answer" boxes.
Why some sites think "mother's maiden name" is at all safe is beyond
my comprehension. And that's not counting the ones that I can't answer
because I can't find the "NaN" key on my keyboard, like "Surname of
first girlfriend". *twiddle thumbs*

ChrisA