Re: Google signin

On Tue, Aug 15, 2017 at 8:26 PM, Daniel Gustafsson <daniel(at)yesql(dot)se> wrote:

> > On 15 Aug 2017, at 12:18, Magnus Hagander <magnus(at)hagander(dot)net> wrote:
> >
> > Here's an updated patch
>
> In the below hunk, s/decicated/dedicated/:
>
> +a decicated account, or use one of the third party sign-in systems below.
>

Fixed in local dev branch.

> Without being terribly well versed in Django (or Python), the logic seems
> quite
> reasonable to me on a read through/review.
>

Thanks.

> > that does this. It will try in order:
> > <firstname><lastinitial>, e.g. stephenf
> > <firstinitial><lasdtname>,e.g. sfrost
> > <firstname><lastinitial><number>, e.g. stephenf0, stephenf1, stephenf2
> etc
>
> How about a random number instead? Not that I see any immediate risk with
> anything here, but many years of looking at logs from web attacks has
> taught me
> that predictability is what is being tried first.
>

I'm not really sure what the attack scenario would be though? I think the
sequential one would generally generate a nicer name, and we're not trying
an infinite number. Plus to even get there you must have logged in with a
google (or something) accoun tthat already failed the first two checks. And
if you then want to do it again, you have to create another third party
account and loop over it...

Or do you see a scenario that I don't?

> A big +1 on getting this functionality in.
>

Thanks!

--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>