Another security question

Chris Angelico rosuav at
Sat Dec 24 02:38:47 EST 2016

On Sat, Dec 24, 2016 at 6:18 PM, Paul Rubin < at nospam.invalid> wrote:
> Chris Angelico <rosuav at> writes:
>> Solution: Don't use dictionary-attackable passwords.
> If you allow people to choose their own passwords, they'll too-often
> pick dictionary-attackable ones; or even if they choose difficult ones,
> they'll use them in more than one place, and eventually the weakest of
> those places will eventually leak it.  At that point it can be tried
> against whatever other hashes the attacker collected.

Correct. However, weak passwords are ultimately the user's
responsibility, where the hashing is the server's responsibility. The
one thing that you _can_ do as server admin is to make appropriate
recommendations, including that if you have one of those "password is
weak" warnings, make sure it favours length over apparent alphabet.


More information about the Python-list mailing list