Password validation security issue

Christian Heimes christian at python.org
Sun Mar 2 20:25:24 CET 2014


On 01.03.2014 21:11, Chris Angelico wrote:
> The problem isn't SHA-256. The problem is insecure passwords, the way
> we've been taught to make them by the banks. Hence, XKCD 936.

Your argumentation is just wrong. You are saying "It's OK to use a
totally insecure way to hash passwords because passwords are insecure".
The point of KDF and KSA is to derive some token from a low entropy
source (human input) that makes an attack harder. Please do your reading
and trust secure experts on algorithms like PBKDF2, bcrypt and
scrypt. hash(salt + password) is outdated and proven to be insecure for
at least a decade, more like 15+ years.

The concept of passwords itself is insecure. But we are stuck with
passwords for authentication mechanism for the foreseeable future. 2FA
is an attempt to increase the security of passwords-based authentication
schemes.

Christian




More information about the Python-list mailing list