Re: Re: Do you trim() usernames and passwords?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Dec 29, 2010 at 12:00:01AM -0500, David Hutto wrote:

> On Tue, Dec 28, 2010 at 11:51 PM, Paul M Foster <paulf@xxxxxxxxxxxxxxxxx>
> wrote:
> > On Tue, Dec 28, 2010 at 11:28:12PM -0500, Joshua Kehn wrote:
> >
> >> On Dec 28, 2010, at 6:28 PM, Paul M Foster wrote:
> >>
> >> > On Tue, Dec 28, 2010 at 03:11:56PM -0500, Joshua Kehn wrote:
> >> >
> >> >> Specifically:
> >> >>
> >> >>>> Dotan Cohen wrote:
> >> >>>>> I seem to have an issue with users who copy-paste their usernames
> and
> >> >>>>> passwords coping and pasting leading and trailing space characters.
> >> >>
> >> >> Users should not be copy-pasting passwords or usernames. Do not
> compromise a system to cater to bad [stupid, ignorant, you pick] users. If
> this is an issue then educate the users.
> >> >>
> >> >
> >> > Wrong. I use a program called pwgen to generate passwords for me, which
> >> > I cannot remember. I use another program I built to store them in an
> >> > encrypted file. When I have to supply a password which I've forgotten
> >> > (as usual), I fire up my password "vault", find the password, and paste
> >> > it wherever it's needed. Users would be wise to follow a scheme like
> >> > this, rather than using their dog's name or somesuch as their passwords.
> >> >
> >> > Paul
> >> >
> >> > --
> >> > Paul M. Foster
> >> > http://noferblatz.com
> >> >
> >>
> >> What is "wrong?" That users should not be copy-pasting passwords or
> don't compromise the system?
> >>
> >> I agree that users should not use weak passwords, but not everyone
> goes everywhere with a vault. I am more then capable of memorizing 20 or
> so 16-32 character full set passwords.
> >>
> >
> > And so you assume everyone can do that? I can remember maybe 5 of the
> > passwords I regularly need. (I rarely repeat passwords for different
> > sites.) In addition, some passwords have been *assigned* to me and
> > cannot readily be changed (and are usually difficult to remember). Many
> > of the rest I so seldom use that it would be silly to try to remember
> > them. Particularly when I do have a password-locked file I can use to
> > record them for me.
> >
> > Under the circumstances I described, I have yet to hear in what way
> > copying and pasting passwords compromises security of anything by
> > itself. Please enlighten me.
> 
> Correct me if I'm wrong, but If you initially type the username and
> password into a file, and you have, in my paranoid scenario, a
> keylogger you don't know about, it get's logged, but also, i assume it
> would get logged if you typed it in as well, on the site, or that
> someone could lift the password if given the authority on your system,
> correct?

Well, let's see. My system sits behind a firewall. No external services
are advertised to the internet. All internal addresses are non-routable.
I do not use or have any wifi. The system sits in my home office. I use
a Debian Linux system and practice very safe computing. I often
investigate little-known sites before surfing to them, and never accept
temptations to click on ads. In fact, I have my /etc/hosts file set up
to block the vast majority of ad servers (I see a fraction of the ads
most people see). I never download content of questionable origin, nor
accept it from others without investigating it first. I have a root kit
detector installed, which I periodically use. I'm the only person who
uses this computer. No one who enters this space is more knowledgeable
than I am about computers (= not capable of hacking a computer). And
suffice it to say that I'm easily capable of dropping an intruder in his
tracks from a distance should he enter my abode uninvited. Moreover, the
law here allows me to do so with impunity.

Now, theoretically, assuming I'm entering a password over an unencrypted
internet connecton (non-HTTPS), someone could theoretically capture that
password. However, I can't think of the last time I've been asked to do
such a thing, if ever. And if invited to do so, I would check first what
kind of content such a hacker would thereby gain access to. If the
content wasn't that important, then it wouldn't much matter to me if
they captured the password. (I've worked at places where a password on
in unencrypted internet-facing server would give someone access to the
bug-tracking system. Big deal.)

So, yes, on planet Epsilon-3-Bingo, perhaps. But here? Unlikely.

Paul

-- 
Paul M. Foster
http://noferblatz.com


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux