Password validation security issue
Steven D'Aprano
steve+comp.lang.python at pearwood.info
Mon Mar 3 11:46:38 EST 2014
On Tue, 04 Mar 2014 00:55:45 +1100, Chris Angelico wrote:
> But it's an attack vector that MUST be considered, which is why I never
> tell the truth in any "secret question / secret answer" boxes. Why some
> sites think "mother's maiden name" is at all safe is beyond my
> comprehension. And that's not counting the ones that I can't answer
> because I can't find the "NaN" key on my keyboard, like "Surname of
> first girlfriend". *twiddle thumbs*
If you lie to these secret questions -- and I strongly recommend that you
do -- you should record the answers somewhere so you can retrieve them
later, long after you've forgotten whether the name of your first pet was
Obama bin Bush or Tarzan the King of the Desert. Trust me on this, you
will need them.
The missus has a Yahoo account, and being paranoid even by my standards
for keeping her web presence completely separate from her real life, she
invented fake answers to the secret questions like Your Birthday. (As you
should. It is my opinion that lying to big faceless corporations is not a
sin, but a duty. They are not on your side, and the more they know about
you the more they will abuse the knowledge.) So fast forward a few
months, and the Yahoos at Yahoo put through another bloody round of
bloody so-called improvements that break everything in sight, including
people's passwords. So She Who Must Be Obeyed resets her password, except
now it's *permanently broken* -- no matter how many times she resets her
password, Yahoo will let her log in *once* then the next time claim the
password is invalid.
And then a week or two ago, Yahoo added another piece of broken security
theatre, and ask you to answer one of those secret questions before
they'll reset your password. So now SWMBO is locked out of her account
because she can't remember what she used.
Mind you, Yahoo is rapidly going from Worse to Even Worse, so it was only
a matter of time before she would have dumped them for good. Still, it's
annoying -- it's like having your identity stolen by a hermit on some
mountain top who doesn't do anything with it, except prevent you from
using it.
--
Steven D'Aprano
http://import-that.dreamwidth.org/
More information about the Python-list
mailing list