On Mon, Mar 3, 2014 at 12:52 PM, Ian Kelly <ian.g.ke...@gmail.com> wrote: > On Sun, Mar 2, 2014 at 6:16 PM, Steven D'Aprano > <steve+comp.lang.pyt...@pearwood.info> wrote: >> People have managed physical keys for *centuries*. Yes, there are a class >> of threats where you lose your key, or someone steals it, or makes a >> copy, but the risks are well-understood and can be managed even by your >> grandmother. We have good solutions for those problems that work well, >> and many of them apply just as well to sticky notes with secure passwords >> written on them. > > I don't know how well the analogy holds up. People protect their > keys, because a) if they lose them, they can't get into their house or > business, and b) if they're stolen, somebody else could gain access > and steal expensive items from them. People are less likely to > protect their sticky notes, because a) nobody is going to steal a > piece of paper, and b) if it does go missing, the IT guy is just one > phone call away, and c) who would want to break into my desktop > anyway? I don't have any trade secrets in there.
The greatest threats these days are from the network, not from someone physically walking into an office. (That said, though, the low-hanging fruit from walking into an office can be *extremely* tempting. Pulling off a basic password leech off sticky notes is often so easy that it can be done as a visitor, or at least as a pizza deliveryman.) Ultimately, any network-accessible resource is protected by some system of credentials that can be guessed; the only question is how hard it is to guess. Any scheme to steal the password has to be easier than guessing, or it's not worth it. Breaking a salted SHA-256 versus XKCD 538 password cracking? Take your pick, but guessing a six-character password beats both (being quicker than the one and more subtle than the other). Maybe salted SHA-256 isn't perfect, but it's certainly (a) a lot better than plain text, unsalted hashes, or salted MD5, and (b) good enough to raise the cracking of the hash above a lot of other infiltration techniques. ChrisA -- https://mail.python.org/mailman/listinfo/python-list
