On 2014-03-03 13:55, Chris Angelico wrote:
On Tue, Mar 4, 2014 at 12:41 AM, Roy Smith <r...@panix.com> wrote:
I used to work at <big company> which had a typical big company IT
department which enforced all sorts of annoying pseudo-security rules.
As far as I could figure out, however, all you needed to get them to
reset anybody's password and tell you the new one was to know their
employee ID number (visible on the front of their ID badge), and to make
the call from their desk phone.
Technically, that's a separate vulnerability. If you figure out
someone else's password, you can log in as that person and nobody is
any the wiser (bar detailed logs eg of IP addresses). Getting a
password reset will at least alert the person on their next login.
That may or may not be safe, of course. Doing a password reset at
4:30pm the day before someone goes away for two months might give you
free reign for that time *and* might not even arouse suspicions ("I
can't remember my password after the break, can you reset it
please?").
But it's an attack vector that MUST be considered, which is why I
never tell the truth in any "secret question / secret answer" boxes.
Why some sites think "mother's maiden name" is at all safe is beyond
my comprehension. And that's not counting the ones that I can't answer
because I can't find the "NaN" key on my keyboard, like "Surname of
first girlfriend". *twiddle thumbs*
I don't think you're obliged to answer such questions truthfully.
Q: Surname of first girlfriend?
A: Luxury Yacht
--
https://mail.python.org/mailman/listinfo/python-list
