[Midas] Bug in Pydas onetime password management

Chapman, Brian brchapman at ucsd.edu
Thu Nov 15 17:50:08 EST 2012


Hello Everybody,

I just upgraded to pydas version 0.2.24 and logged in to a Midas instance that has two-factor authentication enabled. Pydas prompts me for the one-time password, but when I entered the onetime password this was not hidden from the screen, as it would be if I were using getpass.getpass(). Since with the RSA SecureID the one time password is a concatenation of a fixed password and the one time generated code, this is a potential compromise of the system security.

Brian

Brian E. Chapman, PhD
Associate Professor
Division of Biomedical Informatics
University of California, San Diego




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://public.kitware.com/pipermail/midas/attachments/20121115/d52024e8/attachment.html>


More information about the Midas mailing list