Password validation security issue

Roy Smith roy at panix.com
Mon Mar 3 14:41:10 CET 2014


In article <mailman.7619.1393815421.18130.python-list at python.org>,
 Chris Angelico <rosuav at gmail.com> wrote:

> The greatest threats these days are from the network, not from someone
> physically walking into an office. (That said, though, the low-hanging
> fruit from walking into an office can be *extremely* tempting. Pulling
> off a basic password leech off sticky notes is often so easy that it
> can be done as a visitor, or at least as a pizza deliveryman.)

Doesn't even require physical presence.  With the ubiquity of various 
video chat applications, as long as the sticky note is in the field of 
view of the camera, you've leaked the password.  With the right 
lighting, I wouldn't be surprised if you could pick up the reflection of 
a sticky note in somebody's eyeglasses.

So, here's my own (embarrassing) story of password leaking.  Back when 
smartphones were new, I had one of the early Palm Treos.  I decided a 
good place to store my passwords was as fields on my own card.  What I 
didn't realize was that if I beamed[*] my card to somebody, I was also 
giving them all my passwords, mostly because it had never occurred to me 
that I might want to beam my card to somebody.  Until somebody else in 
my office got another smart phone that had beaming capabilities and we 
decided to see how it worked.  It occurred to me as soon as we completed 
the first experiment.

I used to work at <big company> which had a typical big company IT 
department which enforced all sorts of annoying pseudo-security rules.  
As far as I could figure out, however, all you needed to get them to 
reset anybody's password and tell you the new one was to know their 
employee ID number (visible on the front of their ID badge), and to make 
the call from their desk phone.

[*] Beaming: a prehistoric technology which allows exchange of data over 
an infrared light beam.



More information about the Python-list mailing list