Password validation security issue

Steven D'Aprano steve+comp.lang.python at pearwood.info
Mon Mar 3 11:46:38 EST 2014 

On Tue, 04 Mar 2014 00:55:45 +1100, Chris Angelico wrote:

> But it's an attack vector that MUST be considered, which is why I never
> tell the truth in any "secret question / secret answer" boxes. Why some
> sites think "mother's maiden name" is at all safe is beyond my
> comprehension. And that's not counting the ones that I can't answer
> because I can't find the "NaN" key on my keyboard, like "Surname of
> first girlfriend". *twiddle thumbs*

If you lie to these secret questions -- and I strongly recommend that you 
do -- you should record the answers somewhere so you can retrieve them 
later, long after you've forgotten whether the name of your first pet was 
Obama bin Bush or Tarzan the King of the Desert. Trust me on this, you 
will need them.

The missus has a Yahoo account, and being paranoid even by my standards 
for keeping her web presence completely separate from her real life, she 
invented fake answers to the secret questions like Your Birthday. (As you 
should. It is my opinion that lying to big faceless corporations is not a 
sin, but a duty. They are not on your side, and the more they know about 
you the more they will abuse the knowledge.) So fast forward a few 
months, and the Yahoos at Yahoo put through another bloody round of 
bloody so-called improvements that break everything in sight, including 
people's passwords. So She Who Must Be Obeyed resets her password, except 
now it's *permanently broken* -- no matter how many times she resets her 
password, Yahoo will let her log in *once* then the next time claim the 
password is invalid. 

And then a week or two ago, Yahoo added another piece of broken security 
theatre, and ask you to answer one of those secret questions before 
they'll reset your password. So now SWMBO is locked out of her account 
because she can't remember what she used.

Mind you, Yahoo is rapidly going from Worse to Even Worse, so it was only 
a matter of time before she would have dumped them for good. Still, it's 
annoying -- it's like having your identity stolen by a hermit on some 
mountain top who doesn't do anything with it, except prevent you from 
using it.



-- 
Steven D'Aprano
http://import-that.dreamwidth.org/

More information about the Python-list mailing list