Is this secure?

Steven D'Aprano steve at
Thu Feb 25 18:15:50 CET 2010

On Thu, 25 Feb 2010 15:05:56 +0100, mk wrote:

> On 2010-02-25 02:07, Steven D'Aprano wrote:
>> On Wed, 24 Feb 2010 18:23:17 +0100, mk wrote:
>>> Anyway, the passwords for authorized users will be copied and pasted
>>> from email into in the application GUI which will remember it for
>>> them, so they will not have to remember and type them in.
>> So to break your application's security model, all somebody has to do
>> is use their PC and they have full access to their account?
>> Or get hold of the copy and paste buffer?
>> Or the application's config files?
> Yes. There's no way around this, short of forcing them to use hardware
> key, which is an overkill for this application.

Of course there is. Why don't you find out how applications with real 
security work, instead of making up amateur insecure schemes or worrying 
about insignificant deviations from uniformity in your password generator?

You can't get hold of a user's login password in Linux or Windows by 
grabbing the copy-and-paste buffer, or by looking in the password file. 
No hardware key required.

Today, you say that your application only needs weak security because the 
value of the accounts are low. (If they're that low, why do you need a 
password at all?) But tomorrow, your application will be bigger, better, 
new and improved, with remote logins over the Internet and much more 
value -- and it will still be using the same crappy weak security that it 
has now, I guarantee it.

If you are storing the password, instead of a hash, you fail.

If you are storing a hash without a salt, you fail.

Yes, an awful lot of software do these things. They shouldn't, even for 
supposed "low value passwords".

>> Or your users might be sensible enough to not trust a role-your-own
>> security model, and prefer to memorize the password than to trust that
>> nobody will get access to their PC.
> The app is not that critical, it's about quarterly subscription to the
> service, and the users will be able to reset the password anyway.

And when users realise that they don't need to buy a subscription, they 
just need to steal a password from somebody else, what does that do to 
your business model?


More information about the Python-list mailing list