Password validation security issue
steve at pearwood.info
Mon Mar 3 05:38:33 CET 2014
On Sun, 02 Mar 2014 18:52:40 -0700, Ian Kelly wrote:
> On Sun, Mar 2, 2014 at 6:16 PM, Steven D'Aprano
> <steve+comp.lang.python at pearwood.info> wrote:
>> People have managed physical keys for *centuries*. Yes, there are a
>> class of threats where you lose your key, or someone steals it, or
>> makes a copy, but the risks are well-understood and can be managed even
>> by your grandmother. We have good solutions for those problems that
>> work well, and many of them apply just as well to sticky notes with
>> secure passwords written on them.
> I don't know how well the analogy holds up. People protect their keys,
> because a) if they lose them, they can't get into their house or
> business, and b) if they're stolen, somebody else could gain access and
> steal expensive items from them.
A bit like the password to your bank account, or for that matter your
> People are less likely to protect
> their sticky notes, because a) nobody is going to steal a piece of
Oh really? Chances are you're wallet is *full* of pieces of paper that
people would steal, given half the chance.
> and b) if it does go missing, the IT guy is just one phone call
Last time I had to call my bank to unlock my account, it took two phone
calls and nearly three hours of elapsed time. And I was lucky I didn't
have to physically go in to a branch and show photo ID.
> and c) who would want to break into my desktop anyway? I don't
> have any trade secrets in there.
Who would want to steal somebody else's identity?
I'm not saying that people are born with an intuitive understanding of
the security issues of a modern technological society. But they can
*learn* (perhaps only after they get burned) that they need to protect
their computer accounts, including their desktop.
Having learned that, they're screwed: even in the (uncommon) case that
their account will support a cryptographically strong passphrase, most
people need a dozen or more different passwords and/or passphrases. (I
have about 50, only a dozen of which I keep in my head.) Who is going to
remember a 12 character high-entropy string for an account they only use
once a year? Most people have trouble remembering four-digit PINs if they
don't use them regularly.
We cannot solve the social problem that people *don't* care about
security with a technical solution, but we might be able to solve the
problem that people *can't* remember sufficient passphrases and passwords
for their needs. Lacking a technical solution for that, for most people,
under many practical threat models, writing down your strong passwords on
bits of paper which you then keep safe is better than using weak
passwords, using one strong password for everything, or trying to
remember a dozen strong, independent passwords.
More information about the Python-list