Another security question

Paul Rubin no.email at nospam.invalid
Sat Dec 24 05:12:28 EST 2016


Chris Angelico <rosuav at gmail.com> writes:
> as a sysadmin, I have lots of control over the hashing, and very
> little on passwords. I could enforce a minimum password length, but I
> can't prevent password reuse, and I can't do much about the other
> forms of weak passwords.

Right, 2FA helps with re-use, and difficult hashes like Argon2 help
against dictionary attacks.  Whether 2FA is worth the hassle to depends
on what's being secured.  You can also assign system-generated passwords
rather than having people choose their own.  It's ok for them to write
down the system-generated passwords as long as they keep the paper in a
safe place (similar to how they would carry cash).  There's a Schneier
blog post about that someplace.


More information about the Python-list mailing list