Password validation security issue

Steven D'Aprano steve at pearwood.info
Mon Mar 3 05:38:33 CET 2014


On Sun, 02 Mar 2014 18:52:40 -0700, Ian Kelly wrote:

> On Sun, Mar 2, 2014 at 6:16 PM, Steven D'Aprano
> <steve+comp.lang.python at pearwood.info> wrote:
>> People have managed physical keys for *centuries*. Yes, there are a
>> class of threats where you lose your key, or someone steals it, or
>> makes a copy, but the risks are well-understood and can be managed even
>> by your grandmother. We have good solutions for those problems that
>> work well, and many of them apply just as well to sticky notes with
>> secure passwords written on them.
> 
> I don't know how well the analogy holds up.  People protect their keys,
> because a) if they lose them, they can't get into their house or
> business, and b) if they're stolen, somebody else could gain access and
> steal expensive items from them. 

A bit like the password to your bank account, or for that matter your 
Facebook account.


> People are less likely to protect
> their sticky notes, because a) nobody is going to steal a piece of
> paper, 

Oh really? Chances are you're wallet is *full* of pieces of paper that 
people would steal, given half the chance.


> and b) if it does go missing, the IT guy is just one phone call
> away, 

Last time I had to call my bank to unlock my account, it took two phone 
calls and nearly three hours of elapsed time. And I was lucky I didn't 
have to physically go in to a branch and show photo ID.


> and c) who would want to break into my desktop anyway? I don't
> have any trade secrets in there.

Who would want to steal somebody else's identity?

I'm not saying that people are born with an intuitive understanding of 
the security issues of a modern technological society. But they can 
*learn* (perhaps only after they get burned) that they need to protect 
their computer accounts, including their desktop.

Having learned that, they're screwed: even in the (uncommon) case that 
their account will support a cryptographically strong passphrase, most 
people need a dozen or more different passwords and/or passphrases. (I 
have about 50, only a dozen of which I keep in my head.) Who is going to 
remember a 12 character high-entropy string for an account they only use 
once a year? Most people have trouble remembering four-digit PINs if they 
don't use them regularly.

We cannot solve the social problem that people *don't* care about 
security with a technical solution, but we might be able to solve the 
problem that people *can't* remember sufficient passphrases and passwords 
for their needs. Lacking a technical solution for that, for most people, 
under many practical threat models, writing down your strong passwords on 
bits of paper which you then keep safe is better than using weak 
passwords, using one strong password for everything, or trying to 
remember a dozen strong, independent passwords.



-- 
Steven



More information about the Python-list mailing list