| From: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
|---|---|
| To: | Magnus Hagander <magnus(at)hagander(dot)net> |
| Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, Greg Stark <stark(at)mit(dot)edu>, "Jonathan S(dot) Katz" <jkatz(at)postgresql(dot)org>, Dave Page <dpage(at)pgadmin(dot)org>, PostgreSQL WWW <pgsql-www(at)postgresql(dot)org> |
| Subject: | Re: Google signin |
| Date: | 2017-08-16 07:35:04 |
| Message-ID: | 175D2B7B-F3BA-4952-9144-9358FF2F9F34@yesql.se |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-www |
> On 15 Aug 2017, at 22:22, Magnus Hagander <magnus(at)hagander(dot)net> wrote:
>
> On Tue, Aug 15, 2017 at 8:26 PM, Daniel Gustafsson <daniel(at)yesql(dot)se <mailto:daniel(at)yesql(dot)se>> wrote:
>
> > that does this. It will try in order:
> > <firstname><lastinitial>, e.g. stephenf
> > <firstinitial><lasdtname>,e.g. sfrost
> > <firstname><lastinitial><number>, e.g. stephenf0, stephenf1, stephenf2 etc
>
> How about a random number instead? Not that I see any immediate risk with
> anything here, but many years of looking at logs from web attacks has taught me
> that predictability is what is being tried first.
>
> I'm not really sure what the attack scenario would be though? I think the sequential one would generally generate a nicer name, and we're not trying an infinite number. Plus to even get there you must have logged in with a google (or something) accoun tthat already failed the first two checks. And if you then want to do it again, you have to create another third party account and loop over it...
>
> Or do you see a scenario that I don’t?
No, nothing comes to mind apart from a gut reaction to predictability in user
visible data. It’s probably fine.
cheers ./daniel
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Toshi Harada | 2017-08-16 07:41:04 | Wiki editor request |
| Previous Message | Greg Stark | 2017-08-15 21:34:16 | Re: Google signin |