Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #67563

Re: Password validation security issue

Date 2014-03-03 16:29 +0000
From MRAB <python@mrabarnett.plus.com>
Subject Re: Password validation security issue
References (8 earlier) <5313d7fe$0$29985$c3e8da3$5496439d@news.astraweb.com> <CALwzidmTaS5QgeQcAbuU8T5e4Hp=u3e97z5vNKrUe24GysCSCg@mail.gmail.com> <mailman.7619.1393815421.18130.python-list@python.org> <roy-759EB5.08411003032014@news.panix.com> <CAPTjJmpt6E-xsKSs5-bts2pjC6y0EgM7HwGJocHp5_YBARywzw@mail.gmail.com>
Newsgroups comp.lang.python
Message-ID <mailman.7649.1393864199.18130.python-list@python.org> (permalink)

Show all headers | View raw

On 2014-03-03 13:55, Chris Angelico wrote:
> On Tue, Mar 4, 2014 at 12:41 AM, Roy Smith <roy@panix.com> wrote:
>> I used to work at <big company> which had a typical big company IT
>> department which enforced all sorts of annoying pseudo-security rules.
>> As far as I could figure out, however, all you needed to get them to
>> reset anybody's password and tell you the new one was to know their
>> employee ID number (visible on the front of their ID badge), and to make
>> the call from their desk phone.
>
> Technically, that's a separate vulnerability. If you figure out
> someone else's password, you can log in as that person and nobody is
> any the wiser (bar detailed logs eg of IP addresses). Getting a
> password reset will at least alert the person on their next login.
> That may or may not be safe, of course. Doing a password reset at
> 4:30pm the day before someone goes away for two months might give you
> free reign for that time *and* might not even arouse suspicions ("I
> can't remember my password after the break, can you reset it
> please?").
>
> But it's an attack vector that MUST be considered, which is why I
> never tell the truth in any "secret question / secret answer" boxes.
> Why some sites think "mother's maiden name" is at all safe is beyond
> my comprehension. And that's not counting the ones that I can't answer
> because I can't find the "NaN" key on my keyboard, like "Surname of
> first girlfriend". *twiddle thumbs*
>
I don't think you're obliged to answer such questions truthfully.

Q: Surname of first girlfriend?
A: Luxury Yacht

Back to comp.lang.python | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

Password validation security issue Renato <rvernucio@gmail.com> - 2014-03-01 09:49 -0800
  Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 05:11 +1100
  Re: Password validation security issue Christian Heimes <christian@python.org> - 2014-03-01 19:31 +0100
  Re: Password validation security issue Tim Chase <python.list@tim.thechases.com> - 2014-03-01 12:38 -0600
  Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 05:43 +1100
  Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 05:45 +1100
  Re: Password validation security issue Christian Heimes <christian@python.org> - 2014-03-01 20:54 +0100
    Re: Password validation security issue Roy Smith <roy@panix.com> - 2014-03-01 15:25 -0500
      Re: Password validation security issue Christian Heimes <christian@python.org> - 2014-03-01 23:07 +0100
      Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 09:13 +1100
  Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 07:11 +1100
  Re: Password validation security issue Christian Heimes <christian@python.org> - 2014-03-02 20:25 +0100
    Re: Password validation security issue Roy Smith <roy@panix.com> - 2014-03-02 15:01 -0500
      Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-03 07:32 +1100
      Re: Password validation security issue Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-03-03 01:16 +0000
        Re: Password validation security issue Ian Kelly <ian.g.kelly@gmail.com> - 2014-03-02 18:52 -0700
          Re: Password validation security issue Steven D'Aprano <steve@pearwood.info> - 2014-03-03 04:38 +0000
            Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-03 16:44 +1100
            Re: Password validation security issue Ian Kelly <ian.g.kelly@gmail.com> - 2014-03-02 23:50 -0700
        Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-03 13:56 +1100
          Re: Password validation security issue Roy Smith <roy@panix.com> - 2014-03-03 08:41 -0500
            Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-04 00:55 +1100
              Re: Password validation security issue Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-03-03 16:46 +0000
                Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-04 05:46 +1100
            Re: Password validation security issue MRAB <python@mrabarnett.plus.com> - 2014-03-03 16:29 +0000
            Re: Password validation security issue Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-03-03 17:41 +0000
  Re: Password validation security issue Renato <rvernucio@gmail.com> - 2014-03-02 15:10 -0800
    Re: Password validation security issue Ian Kelly <ian.g.kelly@gmail.com> - 2014-03-02 18:49 -0700
    Re: Password validation security issue Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-03-03 02:30 +0000

csiph-web