Password validation security issue
Chris Angelico
rosuav at gmail.com
Mon Mar 3 13:46:48 EST 2014
On Tue, Mar 4, 2014 at 3:46 AM, Steven D'Aprano
<steve+comp.lang.python at pearwood.info> wrote:
> On Tue, 04 Mar 2014 00:55:45 +1100, Chris Angelico wrote:
>
>> But it's an attack vector that MUST be considered, which is why I never
>> tell the truth in any "secret question / secret answer" boxes. Why some
>> sites think "mother's maiden name" is at all safe is beyond my
>> comprehension. And that's not counting the ones that I can't answer
>> because I can't find the "NaN" key on my keyboard, like "Surname of
>> first girlfriend". *twiddle thumbs*
>
> If you lie to these secret questions -- and I strongly recommend that you
> do -- you should record the answers somewhere so you can retrieve them
> later, long after you've forgotten whether the name of your first pet was
> Obama bin Bush or Tarzan the King of the Desert. Trust me on this, you
> will need them.
>
> The missus has a Yahoo account, and being paranoid even by my standards
> for keeping her web presence completely separate from her real life, she
> invented fake answers to the secret questions like Your Birthday. (As you
> should. It is my opinion that lying to big faceless corporations is not a
> sin, but a duty. They are not on your side, and the more they know about
> you the more they will abuse the knowledge.)
I've followed this for a long time. If anything asks for my date of
birth and appears to be just verifying that I'm at least 13 years old,
I'll say Jan 1st in some year that's vaguely near my year of birth.
(This is largely because the drop down combo boxes usually already say
Jan 1st, and it's pointlessly tedious to aim for my exact year, much
less the day within that.) My brother's new wife (married last Nov)
didn't understand this about me when I was helping her port her mobile
phone onto the family account. The system asks me for a date of birth,
and I turn to her and say, "What date of birth did you use?" - and she
looks at me funny, not understanding why I don't already know what to
fill in. But for all I know, she could have set up her mobile account
with a DOB of 1912/6/23 in commemoration of cryptography.
But yes, on the (frequent) occasions when I lie through my teeth, I
usually record my answers as separate passwords.
ChrisA
More information about the Python-list
mailing list