On Sat, 24 Dec 2016 06:38 pm, Chris Angelico wrote:
> weak passwords are ultimately the user's
> responsibility
I suppose that's true, in the same way that not getting sewerage into the
drinking water supply is also ultimately the user's responsibility.
You forget that weak passwords don't just
Chris Angelico writes:
> as a sysadmin, I have lots of control over the hashing, and very
> little on passwords. I could enforce a minimum password length, but I
> can't prevent password reuse, and I can't do much about the other
> forms of weak passwords.
Right, 2FA helps with re-use, and diffic
"Frank Millman" wrote in message news:o3lcfk$pah$1...@blaine.gmane.org...
By the way, I have realised how I ended up getting sidetracked by Blake2 in
the first place.
If you call up the online documentation for Python3.6 and select modules>h>
hashlib, it takes you straight to
15.2. hashl
"Steve D'Aprano" wrote in message
news:585d57d5$0$1587$c3e8da3$54964...@news.astraweb.com...
There is a stdlib PBKDF2. If you want to avoid third-party dependencies,
use that.
https://docs.python.org/3.4/library/hashlib.html#hashlib.pbkdf2_hmac
Thanks for the pointer.
From the docs - 15
On Sat, Dec 24, 2016 at 7:08 PM, Paul Rubin wrote:
> Chris Angelico writes:
>> Correct. However, weak passwords are ultimately the user's
>> responsibility, where the hashing is the server's responsibility.
>
> No, really, the users are part of the system and therefore the system
> designer must
Chris Angelico writes:
> Correct. However, weak passwords are ultimately the user's
> responsibility, where the hashing is the server's responsibility.
No, really, the users are part of the system and therefore the system
designer must take the expected behavior of actual users into account.
The
Steve D'Aprano writes:
> You say that as if two-factor auth was a panacea.
Of course it's not a panacea, but it helps quite a lot.
> That's the sort of thinking that leads to: ...
Beyond that, web browsers are the new Microsoft Windows with all of its
security holes and bloat and upgrade treadm
Steve D'Aprano :
> https://www.schneier.com/blog/archives/2005/10/scandinavian_at_1.html
EDITED TO ADD: Here's a related story. The Bank of New Zealand
suspended Internet banking because of phishing concerns. Now there's
a company that is taking the threat seriously.
That's the troub
On Sat, Dec 24, 2016 at 6:18 PM, Paul Rubin wrote:
> Chris Angelico writes:
>> Solution: Don't use dictionary-attackable passwords.
>
> If you allow people to choose their own passwords, they'll too-often
> pick dictionary-attackable ones; or even if they choose difficult ones,
> they'll use them
Chris Angelico writes:
> Solution: Don't use dictionary-attackable passwords.
If you allow people to choose their own passwords, they'll too-often
pick dictionary-attackable ones; or even if they choose difficult ones,
they'll use them in more than one place, and eventually the weakest of
those
On Sat, Dec 24, 2016 at 12:32 PM, Steve D'Aprano
wrote:
> not to mention the abomination of "one factor authentication, twice", like
> that used by the Australian government unified web portal. To log in, you
> have to provide something you know (username and password), plus something
> else you k
On Sat, 24 Dec 2016 11:20 am, Paul Rubin wrote:
> What is it that you are trying to secure? If it's something important,
> set up 2-factor authentication (such as TOTP) and encourage your users
> to use it.
You say that as if two-factor auth was a panacea.
That's the sort of thinking that lead
On Sat, Dec 24, 2016 at 11:20 AM, Paul Rubin wrote:
> The basic problem is those functions are fast enough to make dictionary
> attacks feasible. The preferred password hashing function these days is
> Argon2, which has some tunable security parameters:
Solution: Don't use dictionary-attackable
> "Salted hashing (or just hashing) with BLAKE2 or any other
> general-purpose cryptographic hash function, such as SHA-256, is not
> suitable for hashing passwords. See BLAKE2 FAQ for more information."
>
> I propose to ignore this warning. I feel that, for my purposes, the
> above procedure is ad
On Sat, Dec 24, 2016 at 3:58 AM, Steve D'Aprano
wrote:
> By the way, thanks for raising this interesting question! This is exactly
> the sort of thing that the secrets module is supposed to make a "no
> brainer", so I expect that it will get a password hash function.
+1. Please can we see somethi
On Fri, 23 Dec 2016 10:08 pm, Frank Millman wrote:
> "Steve D'Aprano" wrote in message
> news:585d009f$0$1599$c3e8da3$54964...@news.astraweb.com...
>>
>> On Fri, 23 Dec 2016 09:19 pm, Frank Millman wrote:
>>
>> >
>> > 3. Generate the password from the string supplied by the user as
>> > follows -
"Chris Angelico" wrote in message
news:captjjmpppgm+_ut_amtnb7vgo0vrgptu6iagyjqwvpxg5yp...@mail.gmail.com...
On Fri, Dec 23, 2016 at 9:19 PM, Frank Millman wrote:
> 3. Generate the password from the string supplied by the user as
> follows -
>from hashlib import blake2b
>password =
"Frank Millman" writes:
> ... Here are my thoughts on improving this.
>
> 1. Generate a 'salt' for each password. There seem to be two ways in
> the standard library to do this -
>import os
>salt = os.urandom(16)
>
>import secrets
>salt = secrets.token_bytes(16)
>
>My guess is
On Fri, Dec 23, 2016 at 9:19 PM, Frank Millman wrote:
> At present I just store a SHA-1 hash of the password for each user. Here are
> my thoughts on improving this.
>
> 1. Generate a 'salt' for each password. There seem to be two ways in the
> standard library to do this -
>import os
>sal
"Steve D'Aprano" wrote in message
news:585d009f$0$1599$c3e8da3$54964...@news.astraweb.com...
On Fri, 23 Dec 2016 09:19 pm, Frank Millman wrote:
>
> 3. Generate the password from the string supplied by the user as
> follows -
> from hashlib import blake2b
> password = blake2b('my_pass
On Fri, 23 Dec 2016 09:19 pm, Frank Millman wrote:
[...]
> Having read the previous thread and various links, I want to review the
> way I handle passwords in my accounting application.
>
> At present I just store a SHA-1 hash of the password for each user. Here
> are my thoughts on improving thi
Hi all
This is a follow-up to my recent 'security question' post.
I am starting a new thread, for 2 reasons -
1) I sent a link to the previous thread to my ISP for their information. It
is up to them whether they do anything with it, but I wanted to keep that
thread focused on the original is
22 matches
Mail list logo
