Another security question
rosuav at gmail.com
Sat Dec 24 03:29:02 EST 2016
On Sat, Dec 24, 2016 at 7:08 PM, Paul Rubin <no.email at nospam.invalid> wrote:
> Chris Angelico <rosuav at gmail.com> writes:
>> Correct. However, weak passwords are ultimately the user's
>> responsibility, where the hashing is the server's responsibility.
> No, really, the users are part of the system and therefore the system
> designer must take the expected behavior of actual users into account.
> The idea is to prevent breaches, not to allow them as long as the blame
> can be shifted to someone else.
I agree, but that's why I said "ultimately". As an end user of a
system, I have no control over the hashing used, and lots of control
over the password I use; as a sysadmin, I have lots of control over
the hashing, and very little on passwords. I could enforce a minimum
password length, but I can't prevent password reuse, and I can't do
much about the other forms of weak passwords.
More information about the Python-list