On 2010-02-25 02:07, Steven D'Aprano wrote:
On Wed, 24 Feb 2010 18:23:17 +0100, mk wrote:
Anyway, the passwords for authorized users will be copied and pasted
from email into in the application GUI which will remember it for them,
so they will not have to remember and type them in.
So to break your application's security model, all somebody has to do is
use their PC and they have full access to their account?
Or get hold of the copy and paste buffer?
Or the application's config files?
Yes. There's no way around this, short of forcing them to use hardware
key, which is an overkill for this application.
So I have little in
the way of limitations of password length - even though in *some* cases
somebody might have to (or be ignorant enough) to retype the password
instead of pasting it in.
Or your users might be sensible enough to not trust a role-your-own
security model, and prefer to memorize the password than to trust that
nobody will get access to their PC.
The app is not that critical, it's about quarterly subscription to the
service, and the users will be able to reset the password anyway. If it
were that critical, I'd use the hardware keys; if hardware keys are not
used, once somebody gains an (unconstrained) access to the user's PC,
there's not much that app developer can do. I've read somewhere a
warning from PuTTY developer that even though the key is (normally)
protected by the passphrase, losing even an encrypted key is quite
likely to lead to its compromise. There's even some software for that on
the net:
http://www.neophob.com/serendipity/index.php?/archives/127-PuTTY-Private-Key-cracker.html
The main application will access the data using HTTP (probably), so the
main point is that an attacker is not able to guess passwords using
brute force.
And why would they bother doing that when they can sniff the wire and get
the passwords in plain text? You should assume your attackers are
*smarter* than you, not trust them to be foolish.
I should have written HTTPS.
Regards,
mk
--
http://mail.python.org/mailman/listinfo/python-list
