Password validation security issue
roy at panix.com
Mon Mar 3 14:41:10 CET 2014
In article <mailman.7619.1393815421.18130.python-list at python.org>,
Chris Angelico <rosuav at gmail.com> wrote:
> The greatest threats these days are from the network, not from someone
> physically walking into an office. (That said, though, the low-hanging
> fruit from walking into an office can be *extremely* tempting. Pulling
> off a basic password leech off sticky notes is often so easy that it
> can be done as a visitor, or at least as a pizza deliveryman.)
Doesn't even require physical presence. With the ubiquity of various
video chat applications, as long as the sticky note is in the field of
view of the camera, you've leaked the password. With the right
lighting, I wouldn't be surprised if you could pick up the reflection of
a sticky note in somebody's eyeglasses.
So, here's my own (embarrassing) story of password leaking. Back when
smartphones were new, I had one of the early Palm Treos. I decided a
good place to store my passwords was as fields on my own card. What I
didn't realize was that if I beamed[*] my card to somebody, I was also
giving them all my passwords, mostly because it had never occurred to me
that I might want to beam my card to somebody. Until somebody else in
my office got another smart phone that had beaming capabilities and we
decided to see how it worked. It occurred to me as soon as we completed
the first experiment.
I used to work at <big company> which had a typical big company IT
department which enforced all sorts of annoying pseudo-security rules.
As far as I could figure out, however, all you needed to get them to
reset anybody's password and tell you the new one was to know their
employee ID number (visible on the front of their ID badge), and to make
the call from their desk phone.
[*] Beaming: a prehistoric technology which allows exchange of data over
an infrared light beam.
More information about the Python-list