Password validation security issue

Chris Angelico rosuav at gmail.com
Mon Mar 3 14:55:45 CET 2014


On Tue, Mar 4, 2014 at 12:41 AM, Roy Smith <roy at panix.com> wrote:
> I used to work at <big company> which had a typical big company IT
> department which enforced all sorts of annoying pseudo-security rules.
> As far as I could figure out, however, all you needed to get them to
> reset anybody's password and tell you the new one was to know their
> employee ID number (visible on the front of their ID badge), and to make
> the call from their desk phone.

Technically, that's a separate vulnerability. If you figure out
someone else's password, you can log in as that person and nobody is
any the wiser (bar detailed logs eg of IP addresses). Getting a
password reset will at least alert the person on their next login.
That may or may not be safe, of course. Doing a password reset at
4:30pm the day before someone goes away for two months might give you
free reign for that time *and* might not even arouse suspicions ("I
can't remember my password after the break, can you reset it
please?").

But it's an attack vector that MUST be considered, which is why I
never tell the truth in any "secret question / secret answer" boxes.
Why some sites think "mother's maiden name" is at all safe is beyond
my comprehension. And that's not counting the ones that I can't answer
because I can't find the "NaN" key on my keyboard, like "Surname of
first girlfriend". *twiddle thumbs*

ChrisA



More information about the Python-list mailing list