Another security question
Paul Rubin
no.email at nospam.invalid
Sat Dec 24 02:18:45 EST 2016
More information about the Python-list mailing list
Sat Dec 24 02:18:45 EST 2016
- Previous message (by thread): Another security question
- Next message (by thread): Another security question
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Chris Angelico <rosuav at gmail.com> writes: > Solution: Don't use dictionary-attackable passwords. If you allow people to choose their own passwords, they'll too-often pick dictionary-attackable ones; or even if they choose difficult ones, they'll use them in more than one place, and eventually the weakest of those places will eventually leak it. At that point it can be tried against whatever other hashes the attacker collected. The -real- right thing to do is use a secret-keyed hash function like HMAC-whatever, but that gives you a chicken-and-egg problem of how to get the secret into the system and prevent it from escaping, when you've postulated that the hashed passwords might escape. That's doable through hardware approaches like external crypto modules, TPM, secure enclaves in the CPU, etc.; but none of that is very widely deployed at the moment, and it brings its own unattractiveness.
- Previous message (by thread): Another security question
- Next message (by thread): Another security question
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Python-list mailing list