Path: csiph.com!usenet.pasdenom.info!weretis.net!feeder1.news.weretis.net!feeder.erje.net!eu.feeder.erje.net!xlned.com!feeder7.xlned.com!newsfeed.xs4all.nl!newsfeed2.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail
Return-Path: <python@mrabarnett.plus.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.161
X-Spam-Level: *
X-Spam-Evidence: '*H*': 0.68; '*S*': 0.00; 'considered,': 0.09; 'counting': 0.09; '(visible': 0.16; 'alert': 0.16; 'from:addr:mrabarnett.plus.com': 0.16; 'from:addr:python': 0.16; 'from:name:mrab': 0.16; 'message-id:@mrabarnett.plus.com': 0.16; 'password,': 0.16; 'received:192.168.1.4': 0.16; 'roy': 0.16; 'rules.': 0.16; 'sorts': 0.16; 'subject:Password': 0.16; 'subject:issue': 0.16; 'subject:security': 0.16; 'wrote:': 0.18; 'reset': 0.22; 'separate': 0.22; 'header:User-Agent:1': 0.23; 'typical': 0.24; 'question': 0.24; 'least': 0.26; 'header:In- Reply-To:1': 0.27; 'chris': 0.29; 'am,': 0.29; 'getting': 0.31; 'obliged': 0.31; 'figure': 0.32; 'front': 0.32; 'could': 0.34; "can't": 0.35; 'beyond': 0.35; 'but': 0.35; 'doing': 0.36; 'next': 0.36; 'employee': 0.37; 'two': 0.37; 'needed': 0.38; 'to:addr :python-list': 0.38; 'to:addr:python.org': 0.39; 'even': 0.60; 'company': 0.60; 'course.': 0.60; 'logs': 0.60; 'tell': 0.60; 'free': 0.61; 'desk': 0.61; 'new': 0.61; "you're": 0.61; 'first': 0.61; 'such': 0.63; 'mar': 0.68; 'nobody': 0.68; 'smith': 0.68; 'safe': 0.72; 'secret': 0.74; 'day': 0.76; 'truth': 0.81; '*and*': 0.84; 'boxes.': 0.84; "else's": 0.84; 'enforced': 0.84; 'surname': 0.84; 'luxury': 0.91; 'login.': 0.93
X-CM-Score: 0.00
X-CNFS-Analysis: v=2.1 cv=eZmzft0H c=1 sm=1 tr=0 a=0nF1XD0wxitMEM03M9B4ZQ==:117 a=0nF1XD0wxitMEM03M9B4ZQ==:17 a=0Bzu9jTXAAAA:8 a=sASEtNAQL0YA:10 a=frOPKBcZmzkA:10 a=ihvODaAuJD4A:10 a=IkcTkHD0fZMA:10 a=EBOSESyhAAAA:8 a=VUfPOBp7AAAA:8 a=fKvea1dc_ON_1bSrSvAA:9 a=y-Zj6oqQC8Nk8hdy:21 a=cEk4UZ_w59j_gV5B:21 a=QEXdDO2ut3YA:10 a=5hK03km2n30A:10
X-AUTH: mrabarnett:2500
Date: Mon, 03 Mar 2014 16:29:51 +0000
From: MRAB <python@mrabarnett.plus.com>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: python-list@python.org
Subject: Re: Password validation security issue
References: <09f43567-779e-4d01-8621-c4eb36354d99@googlegroups.com> <CAPTjJmqCTLqXgmHMm2QGYJB1MmYEnhMV3OGe0jPc_UOoUQ9gQA@mail.gmail.com> <let920$fmn$1@ger.gmane.org> <CAPTjJmq0MYQugUnsL52ZN0um=V3iABHmM4+vsffD=+2YV7t=MA@mail.gmail.com> <letdt5$1g3$1@ger.gmane.org> <CAPTjJmra0AjHYjk3G+2mSgsewpX0qcmcKpQtqnebHXsQfT2YqQ@mail.gmail.com> <mailman.7592.1393788339.18130.python-list@python.org> <roy-5B94F1.15010902032014@news.panix.com> <5313d7fe$0$29985$c3e8da3$5496439d@news.astraweb.com> <CALwzidmTaS5QgeQcAbuU8T5e4Hp=u3e97z5vNKrUe24GysCSCg@mail.gmail.com> <mailman.7619.1393815421.18130.python-list@python.org> <roy-759EB5.08411003032014@news.panix.com> <CAPTjJmpt6E-xsKSs5-bts2pjC6y0EgM7HwGJocHp5_YBARywzw@mail.gmail.com>
In-Reply-To: <CAPTjJmpt6E-xsKSs5-bts2pjC6y0EgM7HwGJocHp5_YBARywzw@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups: comp.lang.python
Message-ID: <mailman.7649.1393864199.18130.python-list@python.org>
Lines: 31
NNTP-Posting-Host: 2001:888:2000:d::a6
X-Trace: 1393864199 news.xs4all.nl 2969 [2001:888:2000:d::a6]:58166
X-Complaints-To: abuse@xs4all.nl
Xref: csiph.com comp.lang.python:67563

On 2014-03-03 13:55, Chris Angelico wrote:
> On Tue, Mar 4, 2014 at 12:41 AM, Roy Smith <roy@panix.com> wrote:
>> I used to work at <big company> which had a typical big company IT
>> department which enforced all sorts of annoying pseudo-security rules.
>> As far as I could figure out, however, all you needed to get them to
>> reset anybody's password and tell you the new one was to know their
>> employee ID number (visible on the front of their ID badge), and to make
>> the call from their desk phone.
>
> Technically, that's a separate vulnerability. If you figure out
> someone else's password, you can log in as that person and nobody is
> any the wiser (bar detailed logs eg of IP addresses). Getting a
> password reset will at least alert the person on their next login.
> That may or may not be safe, of course. Doing a password reset at
> 4:30pm the day before someone goes away for two months might give you
> free reign for that time *and* might not even arouse suspicions ("I
> can't remember my password after the break, can you reset it
> please?").
>
> But it's an attack vector that MUST be considered, which is why I
> never tell the truth in any "secret question / secret answer" boxes.
> Why some sites think "mother's maiden name" is at all safe is beyond
> my comprehension. And that's not counting the ones that I can't answer
> because I can't find the "NaN" key on my keyboard, like "Surname of
> first girlfriend". *twiddle thumbs*
>
I don't think you're obliged to answer such questions truthfully.

Q: Surname of first girlfriend?
A: Luxury Yacht