Password validation security issue
Christian Heimes
christian at python.org
Sun Mar 2 14:25:24 EST 2014
On 01.03.2014 21:11, Chris Angelico wrote:
> The problem isn't SHA-256. The problem is insecure passwords, the way
> we've been taught to make them by the banks. Hence, XKCD 936.
Your argumentation is just wrong. You are saying "It's OK to use a
totally insecure way to hash passwords because passwords are insecure".
The point of KDF and KSA is to derive some token from a low entropy
source (human input) that makes an attack harder. Please do your reading
and trust secure experts on algorithms like PBKDF2, bcrypt and
scrypt. hash(salt + password) is outdated and proven to be insecure for
at least a decade, more like 15+ years.
The concept of passwords itself is insecure. But we are stuck with
passwords for authentication mechanism for the foreseeable future. 2FA
is an attempt to increase the security of passwords-based authentication
schemes.
Christian
More information about the Python-list
mailing list