Is this secure?
Steven D'Aprano
steven at REMOVE.THIS.cybersource.com.au
Wed Feb 24 20:07:31 EST 2010
On Wed, 24 Feb 2010 18:23:17 +0100, mk wrote:
> Anyway, the passwords for authorized users will be copied and pasted
> from email into in the application GUI which will remember it for them,
> so they will not have to remember and type them in.
So to break your application's security model, all somebody has to do is
use their PC and they have full access to their account?
Or get hold of the copy and paste buffer?
Or the application's config files?
> So I have little in
> the way of limitations of password length - even though in *some* cases
> somebody might have to (or be ignorant enough) to retype the password
> instead of pasting it in.
Or your users might be sensible enough to not trust a role-your-own
security model, and prefer to memorize the password than to trust that
nobody will get access to their PC.
> The main application will access the data using HTTP (probably), so the
> main point is that an attacker is not able to guess passwords using
> brute force.
And why would they bother doing that when they can sniff the wire and get
the passwords in plain text? You should assume your attackers are
*smarter* than you, not trust them to be foolish.
--
Steven
More information about the Python-list
mailing list