On 25/08/17 12:11, Brian wrote: >> Unless you have a good reason to think otherwise (e.g. *you* manage the >> web site and you know you are doing a good job), you should assume that >> the data-base with hashes passwords will leak without the system >> administrators noticing, and then an attack can be carried offline. > > The problem with assumptions is that they often do not reflect the truth > of a situation and predispose us to making recommendations which are not > in the best interests of other people.
This *sounds* very reasonable, but the truth is that you are simply dodging that your recommendation leads to weak passwords. In security, one should not take things for granted. One should plan for the worst plausible case. Leaking hashed passwords has happened many times, so it is very plausible. -- Do not eat animals, respect them as you respect people. https://duckduckgo.com/?q=how+to+(become+OR+eat)+vegan
signature.asc
Description: OpenPGP digital signature
