Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #67572

Re: Password validation security issue

Path csiph.com!usenet.pasdenom.info!aioe.org!news.stack.nl!newsfeed.xs4all.nl!newsfeed4a.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail
Return-Path <rosuav@gmail.com>
X-Original-To python-list@python.org
Delivered-To python-list@mail.python.org
X-Spam-Status OK 0.182
X-Spam-Level *
X-Spam-Evidence '*H*': 0.64; '*S*': 0.00; 'say,': 0.05; 'abuse': 0.07; 'considered,': 0.09; 'counting': 0.09; 'funny,': 0.09; 'cc:addr:python-list': 0.11; 'jan': 0.12; 'duty.': 0.16; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'lie': 0.16; 'should.': 0.16; 'subject:Password': 0.16; 'subject:issue': 0.16; 'subject:security': 0.16; 'followed': 0.16; 'wrote:': 0.18; 'year,': 0.18; 'appears': 0.22; 'separate': 0.22; 'cc:addr:python.org': 0.22; 'looks': 0.24; 'question': 0.24; 'cc:2**0': 0.24; "i've": 0.25; 'least': 0.26; 'somewhere': 0.26; 'header:In-Reply-To:1': 0.27; 'record': 0.27; 'chris': 0.29; '(this': 0.29; 'am,': 0.29; 'strongly': 0.30; 'message- id:@mail.gmail.com': 0.30; "i'm": 0.30; 'usually': 0.31; 'asks': 0.31; "d'aprano": 0.31; 'steven': 0.31; 'standards': 0.33; 'could': 0.34; "can't": 0.35; 'beyond': 0.35; 'but': 0.35; 'received:google.com': 0.35; 'in.': 0.36; 'largely': 0.36; "didn't": 0.36; "i'll": 0.36; 'should': 0.36; 'turn': 0.37; 'being': 0.38; 'anything': 0.39; 'even': 0.60; 'skip:u 10': 0.60; 'life,': 0.60; 'wife': 0.60; 'tell': 0.60; 'new': 0.61; 'first': 0.61; "you've": 0.63; 'name': 0.63; 'real': 0.63; 'more': 0.64; 'account': 0.65; 'within': 0.65; 'phone': 0.66; 'mar': 0.68; 'helping': 0.70; 'safe': 0.72; 'family': 0.73; '1st': 0.74; 'secret': 0.74; 'day': 0.76; 'account.': 0.80; 'truth': 0.81; 'birth,': 0.84; 'boxes.': 0.84; 'lying': 0.84; 'obama': 0.84; 'verifying': 0.84; 'old,': 0.85; 'birth': 0.91; 'boxes': 0.91; 'corporations': 0.91; 'forgotten': 0.91; 'to:none': 0.92
DKIM-Signature v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:cc :content-type; bh=2m7Ff8220u1F41L1HO3YChdHgw+H23wEcE1w9K96Im4=; b=pKECl0+y2yVdk9LzwRLenK289+WyUvlqwxnVkv6H2dguJb1GC+KlvnzDwIpa0Qo8Iz PDqr7sK6lVik2UikQMINuaZwzvfRi6LAfaCtOkP4/10Cpv59Yof/h0okLFz0R2xu015C tJC990pMAtt/R48bJoPyT0YRgLu5fWLqAk3a72GVRP4UsLMP4sxs0mCSQIy2CtKBBTS5 QrMw8qxk7g0qSqlOBsxOJ/nJ2QoZX09KZ9/xwP5YXpBN5cGQUOLrSQNYoWriyn98ydcj No0kBBb/MOO6BZ1B6/B6BXsg93p1c5Zbtp4ubTTdq73BNHL85dar67SX2pPAA8CiCJmP /G9A==
MIME-Version 1.0
X-Received by 10.68.200.74 with SMTP id jq10mr3631857pbc.169.1393872408325; Mon, 03 Mar 2014 10:46:48 -0800 (PST)
In-Reply-To <5314b1ed$0$29985$c3e8da3$5496439d@news.astraweb.com>
References <09f43567-779e-4d01-8621-c4eb36354d99@googlegroups.com> <CAPTjJmqCTLqXgmHMm2QGYJB1MmYEnhMV3OGe0jPc_UOoUQ9gQA@mail.gmail.com> <let920$fmn$1@ger.gmane.org> <CAPTjJmq0MYQugUnsL52ZN0um=V3iABHmM4+vsffD=+2YV7t=MA@mail.gmail.com> <letdt5$1g3$1@ger.gmane.org> <CAPTjJmra0AjHYjk3G+2mSgsewpX0qcmcKpQtqnebHXsQfT2YqQ@mail.gmail.com> <mailman.7592.1393788339.18130.python-list@python.org> <roy-5B94F1.15010902032014@news.panix.com> <5313d7fe$0$29985$c3e8da3$5496439d@news.astraweb.com> <CALwzidmTaS5QgeQcAbuU8T5e4Hp=u3e97z5vNKrUe24GysCSCg@mail.gmail.com> <mailman.7619.1393815421.18130.python-list@python.org> <roy-759EB5.08411003032014@news.panix.com> <mailman.7640.1393854948.18130.python-list@python.org> <5314b1ed$0$29985$c3e8da3$5496439d@news.astraweb.com>
Date Tue, 4 Mar 2014 05:46:48 +1100
Subject Re: Password validation security issue
From Chris Angelico <rosuav@gmail.com>
Cc "python-list@python.org" <python-list@python.org>
Content-Type text/plain; charset=UTF-8
X-BeenThere python-list@python.org
X-Mailman-Version 2.1.15
Precedence list
List-Id General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive <http://mail.python.org/pipermail/python-list/>
List-Post <mailto:python-list@python.org>
List-Help <mailto:python-list-request@python.org?subject=help>
List-Subscribe <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups comp.lang.python
Message-ID <mailman.7653.1393872417.18130.python-list@python.org> (permalink)
Lines 41
NNTP-Posting-Host 2001:888:2000:d::a6
X-Trace 1393872417 news.xs4all.nl 2976 [2001:888:2000:d::a6]:43039
X-Complaints-To abuse@xs4all.nl
Xref csiph.com comp.lang.python:67572

Show key headers only | View raw

On Tue, Mar 4, 2014 at 3:46 AM, Steven D'Aprano
<steve+comp.lang.python@pearwood.info> wrote:
> On Tue, 04 Mar 2014 00:55:45 +1100, Chris Angelico wrote:
>
>> But it's an attack vector that MUST be considered, which is why I never
>> tell the truth in any "secret question / secret answer" boxes. Why some
>> sites think "mother's maiden name" is at all safe is beyond my
>> comprehension. And that's not counting the ones that I can't answer
>> because I can't find the "NaN" key on my keyboard, like "Surname of
>> first girlfriend". *twiddle thumbs*
>
> If you lie to these secret questions -- and I strongly recommend that you
> do -- you should record the answers somewhere so you can retrieve them
> later, long after you've forgotten whether the name of your first pet was
> Obama bin Bush or Tarzan the King of the Desert. Trust me on this, you
> will need them.
>
> The missus has a Yahoo account, and being paranoid even by my standards
> for keeping her web presence completely separate from her real life, she
> invented fake answers to the secret questions like Your Birthday. (As you
> should. It is my opinion that lying to big faceless corporations is not a
> sin, but a duty. They are not on your side, and the more they know about
> you the more they will abuse the knowledge.)

I've followed this for a long time. If anything asks for my date of
birth and appears to be just verifying that I'm at least 13 years old,
I'll say Jan 1st in some year that's vaguely near my year of birth.
(This is largely because the drop down combo boxes usually already say
Jan 1st, and it's pointlessly tedious to aim for my exact year, much
less the day within that.) My brother's new wife (married last Nov)
didn't understand this about me when I was helping her port her mobile
phone onto the family account. The system asks me for a date of birth,
and I turn to her and say, "What date of birth did you use?" - and she
looks at me funny, not understanding why I don't already know what to
fill in. But for all I know, she could have set up her mobile account
with a DOB of 1912/6/23 in commemoration of cryptography.

But yes, on the (frequent) occasions when I lie through my teeth, I
usually record my answers as separate passwords.

ChrisA

Back to comp.lang.python | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

Password validation security issue Renato <rvernucio@gmail.com> - 2014-03-01 09:49 -0800
  Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 05:11 +1100
  Re: Password validation security issue Christian Heimes <christian@python.org> - 2014-03-01 19:31 +0100
  Re: Password validation security issue Tim Chase <python.list@tim.thechases.com> - 2014-03-01 12:38 -0600
  Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 05:43 +1100
  Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 05:45 +1100
  Re: Password validation security issue Christian Heimes <christian@python.org> - 2014-03-01 20:54 +0100
    Re: Password validation security issue Roy Smith <roy@panix.com> - 2014-03-01 15:25 -0500
      Re: Password validation security issue Christian Heimes <christian@python.org> - 2014-03-01 23:07 +0100
      Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 09:13 +1100
  Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 07:11 +1100
  Re: Password validation security issue Christian Heimes <christian@python.org> - 2014-03-02 20:25 +0100
    Re: Password validation security issue Roy Smith <roy@panix.com> - 2014-03-02 15:01 -0500
      Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-03 07:32 +1100
      Re: Password validation security issue Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-03-03 01:16 +0000
        Re: Password validation security issue Ian Kelly <ian.g.kelly@gmail.com> - 2014-03-02 18:52 -0700
          Re: Password validation security issue Steven D'Aprano <steve@pearwood.info> - 2014-03-03 04:38 +0000
            Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-03 16:44 +1100
            Re: Password validation security issue Ian Kelly <ian.g.kelly@gmail.com> - 2014-03-02 23:50 -0700
        Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-03 13:56 +1100
          Re: Password validation security issue Roy Smith <roy@panix.com> - 2014-03-03 08:41 -0500
            Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-04 00:55 +1100
              Re: Password validation security issue Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-03-03 16:46 +0000
                Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-04 05:46 +1100
            Re: Password validation security issue MRAB <python@mrabarnett.plus.com> - 2014-03-03 16:29 +0000
            Re: Password validation security issue Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-03-03 17:41 +0000
  Re: Password validation security issue Renato <rvernucio@gmail.com> - 2014-03-02 15:10 -0800
    Re: Password validation security issue Ian Kelly <ian.g.kelly@gmail.com> - 2014-03-02 18:49 -0700
    Re: Password validation security issue Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-03-03 02:30 +0000

csiph-web