Another security question

Chris Angelico rosuav at gmail.com
Sat Dec 24 02:38:47 EST 2016


On Sat, Dec 24, 2016 at 6:18 PM, Paul Rubin <no.email at nospam.invalid> wrote:
> Chris Angelico <rosuav at gmail.com> writes:
>> Solution: Don't use dictionary-attackable passwords.
>
> If you allow people to choose their own passwords, they'll too-often
> pick dictionary-attackable ones; or even if they choose difficult ones,
> they'll use them in more than one place, and eventually the weakest of
> those places will eventually leak it.  At that point it can be tried
> against whatever other hashes the attacker collected.

Correct. However, weak passwords are ultimately the user's
responsibility, where the hashing is the server's responsibility. The
one thing that you _can_ do as server admin is to make appropriate
recommendations, including that if you have one of those "password is
weak" warnings, make sure it favours length over apparent alphabet.

ChrisA


More information about the Python-list mailing list