Is this secure?

Steven D'Aprano steven at REMOVE.THIS.cybersource.com.au
Thu Feb 25 02:07:31 CET 2010


On Wed, 24 Feb 2010 18:23:17 +0100, mk wrote:

> Anyway, the passwords for authorized users will be copied and pasted
> from email into in the application GUI which will remember it for them,
> so they will not have to remember and type them in.

So to break your application's security model, all somebody has to do is 
use their PC and they have full access to their account?

Or get hold of the copy and paste buffer?

Or the application's config files?



> So I have little in
> the way of limitations of password length - even though in *some* cases
> somebody might have to (or be ignorant enough) to retype the password
> instead of pasting it in.

Or your users might be sensible enough to not trust a role-your-own 
security model, and prefer to memorize the password than to trust that 
nobody will get access to their PC.



> The main application will access the data using HTTP (probably), so the
> main point is that an attacker is not able to guess passwords using
> brute force.

And why would they bother doing that when they can sniff the wire and get 
the passwords in plain text? You should assume your attackers are 
*smarter* than you, not trust them to be foolish.


-- 
Steven



More information about the Python-list mailing list