Another security question
no.email at nospam.invalid
Sat Dec 24 05:12:28 EST 2016
Chris Angelico <rosuav at gmail.com> writes:
> as a sysadmin, I have lots of control over the hashing, and very
> little on passwords. I could enforce a minimum password length, but I
> can't prevent password reuse, and I can't do much about the other
> forms of weak passwords.
Right, 2FA helps with re-use, and difficult hashes like Argon2 help
against dictionary attacks. Whether 2FA is worth the hassle to depends
on what's being secured. You can also assign system-generated passwords
rather than having people choose their own. It's ok for them to write
down the system-generated passwords as long as they keep the paper in a
safe place (similar to how they would carry cash). There's a Schneier
blog post about that someplace.
More information about the Python-list