On Sat, Dec 24, 2016 at 7:08 PM, Paul Rubin <no.email@nospam.invalid> wrote: > Chris Angelico <ros...@gmail.com> writes: >> Correct. However, weak passwords are ultimately the user's >> responsibility, where the hashing is the server's responsibility. > > No, really, the users are part of the system and therefore the system > designer must take the expected behavior of actual users into account. > The idea is to prevent breaches, not to allow them as long as the blame > can be shifted to someone else.
I agree, but that's why I said "ultimately". As an end user of a system, I have no control over the hashing used, and lots of control over the password I use; as a sysadmin, I have lots of control over the hashing, and very little on passwords. I could enforce a minimum password length, but I can't prevent password reuse, and I can't do much about the other forms of weak passwords. ChrisA -- https://mail.python.org/mailman/listinfo/python-list
