Another security question

Paul Rubin no.email at nospam.invalid
Fri Dec 23 19:20:18 EST 2016


> "Salted hashing (or just hashing) with BLAKE2 or any other
> general-purpose cryptographic hash function, such as SHA-256, is not
> suitable for hashing passwords. See BLAKE2 FAQ for more information."
>
> I propose to ignore this warning. I feel that, for my purposes, the
> above procedure is adequate.
>
> Does all this sound reasonable?

The basic problem is those functions are fast enough to make dictionary
attacks feasible.  The preferred password hashing function these days is
Argon2, which has some tunable security parameters:

  https://en.wikipedia.org/wiki/Argon2

Also in use are bcrypt and later scrypt (I think there are wikipedia
articles about both).

What is it that you are trying to secure?  If it's something important,
set up 2-factor authentication (such as TOTP) and encourage your users
to use it.  There are cheap hardware tokens and cost-free smartphone
apps that implement it on the user side.  Linotp.org has a free
implementation for the server side, though I haven't looked at it
closely or tried it yet.


More information about the Python-list mailing list