Password validation security issue
Chris Angelico
rosuav at gmail.com
Sun Mar 2 21:56:58 EST 2014
On Mon, Mar 3, 2014 at 12:52 PM, Ian Kelly <ian.g.kelly at gmail.com> wrote:
> On Sun, Mar 2, 2014 at 6:16 PM, Steven D'Aprano
> <steve+comp.lang.python at pearwood.info> wrote:
>> People have managed physical keys for *centuries*. Yes, there are a class
>> of threats where you lose your key, or someone steals it, or makes a
>> copy, but the risks are well-understood and can be managed even by your
>> grandmother. We have good solutions for those problems that work well,
>> and many of them apply just as well to sticky notes with secure passwords
>> written on them.
>
> I don't know how well the analogy holds up. People protect their
> keys, because a) if they lose them, they can't get into their house or
> business, and b) if they're stolen, somebody else could gain access
> and steal expensive items from them. People are less likely to
> protect their sticky notes, because a) nobody is going to steal a
> piece of paper, and b) if it does go missing, the IT guy is just one
> phone call away, and c) who would want to break into my desktop
> anyway? I don't have any trade secrets in there.
The greatest threats these days are from the network, not from someone
physically walking into an office. (That said, though, the low-hanging
fruit from walking into an office can be *extremely* tempting. Pulling
off a basic password leech off sticky notes is often so easy that it
can be done as a visitor, or at least as a pizza deliveryman.)
Ultimately, any network-accessible resource is protected by some
system of credentials that can be guessed; the only question is how
hard it is to guess. Any scheme to steal the password has to be easier
than guessing, or it's not worth it. Breaking a salted SHA-256 versus
XKCD 538 password cracking? Take your pick, but guessing a
six-character password beats both (being quicker than the one and more
subtle than the other).
Maybe salted SHA-256 isn't perfect, but it's certainly (a) a lot
better than plain text, unsalted hashes, or salted MD5, and (b) good
enough to raise the cracking of the hash above a lot of other
infiltration techniques.
ChrisA
More information about the Python-list
mailing list