Password validation security issue

Chris Angelico rosuav at gmail.com
Mon Mar 3 06:44:26 CET 2014


On Mon, Mar 3, 2014 at 3:38 PM, Steven D'Aprano <steve at pearwood.info> wrote:
> Oh really? Chances are you're wallet is *full* of pieces of paper that
> people would steal, given half the chance.

Alas no... around here, wallets get filled with pieces of plastic [1],
of which my wallet is sadly devoid. And I can't imagine anyone putting
effort into stealing my Gilbert & Sullivan Society membership card,
nor my coupon card for a half-price watch battery replacement on
condition that I take it back to some place that I don't go anywhere
near any more... But don't let that detract from your point :D

>> and b) if it does go missing, the IT guy is just one phone call
>> away,
>
> Last time I had to call my bank to unlock my account, it took two phone
> calls and nearly three hours of elapsed time. And I was lucky I didn't
> have to physically go in to a branch and show photo ID.

That's about par for the course. Worst part of it is when you lose
your connection and have to (a) go right back to the end of the caller
queue, (b) get through to a different agent, and therefore (c) have to
start over with the whole identifying-yourself thing. I wish I could
invoke tmux or GNU Screen on arrival,and then just reconnect.

This is, perhaps, the best argument in favour of password security.
The thought that someone might steal your identity is so vague and
hard to comprehend that it won't scare people; the possibility of
someone stealing money is "Oh but my bank will keep me safe" (whether
or not that's true is quite tangential); but explain that forgetting
your password (or having someone else figure out your password) means
having to call support? *That* is an incentive.

> Having learned that, they're screwed: even in the (uncommon) case that
> their account will support a cryptographically strong passphrase, most
> people need a dozen or more different passwords and/or passphrases. (I
> have about 50, only a dozen of which I keep in my head.) Who is going to
> remember a 12 character high-entropy string for an account they only use
> once a year? Most people have trouble remembering four-digit PINs if they
> don't use them regularly.

What if you create XKCD 936 passwords, and then have one "master
password file" in which you store, for each password, four words that
are synonyms for the originals, plus the first letters of them?
(Obviously your master password file (a) never leaves your own
computer, and (b) should itself be encrypted with some secure
password, and treated with extreme sensitivity. But that gets around
the "once a year" problem, as you'll refer to this one file any time
you need to check any of your rare passwords.) As a second line of
defense before contacting support, it feels plausible, but I've never
actually had an opportunity to try it.

Of course, the whole concept depends on being able to use long
memorable passwords. Any system that sets a maximum password length of
anything less than about 30-40 characters is causing its users
problems. There's almost never any reason to set a maximum at all.

ChrisA

[1] http://en.wikipedia.org/wiki/Polymer_banknote



More information about the Python-list mailing list