Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #67540

Re: Password validation security issue

From Roy Smith <roy@panix.com>
Newsgroups comp.lang.python
Subject Re: Password validation security issue
Date 2014-03-03 08:41 -0500
Organization PANIX Public Access Internet and UNIX, NYC
Message-ID <roy-759EB5.08411003032014@news.panix.com> (permalink)
References (6 earlier) <mailman.7592.1393788339.18130.python-list@python.org> <roy-5B94F1.15010902032014@news.panix.com> <5313d7fe$0$29985$c3e8da3$5496439d@news.astraweb.com> <CALwzidmTaS5QgeQcAbuU8T5e4Hp=u3e97z5vNKrUe24GysCSCg@mail.gmail.com> <mailman.7619.1393815421.18130.python-list@python.org>

Show all headers | View raw

In article <mailman.7619.1393815421.18130.python-list@python.org>,
 Chris Angelico <rosuav@gmail.com> wrote:

> The greatest threats these days are from the network, not from someone
> physically walking into an office. (That said, though, the low-hanging
> fruit from walking into an office can be *extremely* tempting. Pulling
> off a basic password leech off sticky notes is often so easy that it
> can be done as a visitor, or at least as a pizza deliveryman.)

Doesn't even require physical presence.  With the ubiquity of various 
video chat applications, as long as the sticky note is in the field of 
view of the camera, you've leaked the password.  With the right 
lighting, I wouldn't be surprised if you could pick up the reflection of 
a sticky note in somebody's eyeglasses.

So, here's my own (embarrassing) story of password leaking.  Back when 
smartphones were new, I had one of the early Palm Treos.  I decided a 
good place to store my passwords was as fields on my own card.  What I 
didn't realize was that if I beamed[*] my card to somebody, I was also 
giving them all my passwords, mostly because it had never occurred to me 
that I might want to beam my card to somebody.  Until somebody else in 
my office got another smart phone that had beaming capabilities and we 
decided to see how it worked.  It occurred to me as soon as we completed 
the first experiment.

I used to work at <big company> which had a typical big company IT 
department which enforced all sorts of annoying pseudo-security rules.  
As far as I could figure out, however, all you needed to get them to 
reset anybody's password and tell you the new one was to know their 
employee ID number (visible on the front of their ID badge), and to make 
the call from their desk phone.

[*] Beaming: a prehistoric technology which allows exchange of data over 
an infrared light beam.

Back to comp.lang.python | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

Password validation security issue Renato <rvernucio@gmail.com> - 2014-03-01 09:49 -0800
  Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 05:11 +1100
  Re: Password validation security issue Christian Heimes <christian@python.org> - 2014-03-01 19:31 +0100
  Re: Password validation security issue Tim Chase <python.list@tim.thechases.com> - 2014-03-01 12:38 -0600
  Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 05:43 +1100
  Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 05:45 +1100
  Re: Password validation security issue Christian Heimes <christian@python.org> - 2014-03-01 20:54 +0100
    Re: Password validation security issue Roy Smith <roy@panix.com> - 2014-03-01 15:25 -0500
      Re: Password validation security issue Christian Heimes <christian@python.org> - 2014-03-01 23:07 +0100
      Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 09:13 +1100
  Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 07:11 +1100
  Re: Password validation security issue Christian Heimes <christian@python.org> - 2014-03-02 20:25 +0100
    Re: Password validation security issue Roy Smith <roy@panix.com> - 2014-03-02 15:01 -0500
      Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-03 07:32 +1100
      Re: Password validation security issue Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-03-03 01:16 +0000
        Re: Password validation security issue Ian Kelly <ian.g.kelly@gmail.com> - 2014-03-02 18:52 -0700
          Re: Password validation security issue Steven D'Aprano <steve@pearwood.info> - 2014-03-03 04:38 +0000
            Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-03 16:44 +1100
            Re: Password validation security issue Ian Kelly <ian.g.kelly@gmail.com> - 2014-03-02 23:50 -0700
        Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-03 13:56 +1100
          Re: Password validation security issue Roy Smith <roy@panix.com> - 2014-03-03 08:41 -0500
            Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-04 00:55 +1100
              Re: Password validation security issue Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-03-03 16:46 +0000
                Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-04 05:46 +1100
            Re: Password validation security issue MRAB <python@mrabarnett.plus.com> - 2014-03-03 16:29 +0000
            Re: Password validation security issue Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-03-03 17:41 +0000
  Re: Password validation security issue Renato <rvernucio@gmail.com> - 2014-03-02 15:10 -0800
    Re: Password validation security issue Ian Kelly <ian.g.kelly@gmail.com> - 2014-03-02 18:49 -0700
    Re: Password validation security issue Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-03-03 02:30 +0000

csiph-web