Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #67462

Re: Password validation security issue

Path csiph.com!newsfeed.hal-mli.net!feeder3.hal-mli.net!newsfeed.hal-mli.net!feeder1.hal-mli.net!newsfeed.xs4all.nl!newsfeed1.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail
Return-Path <python-python-list@m.gmane.org>
X-Original-To python-list@python.org
Delivered-To python-list@mail.python.org
DKIM-Signature v=1; a=rsa-sha256; c=relaxed/simple; d=python.org; s=200901; t=1393788339; bh=j8uwdgVbf7Go1PO50Ih/TLddwqCdEqEUzjDbMLTxvxI=; h=To:From:Subject:Date:References:In-Reply-To:From; b=GTRmAr7SDeFMUAcsYuH9hgFJYpfV3PR24K+gEZrLXrmU3k5EDBzh2qjXEciXRQM4M lxyauLOyLP75Q89/gR9Cy+FR5xvPhcJgDY9DmWkjMniMllTM7rMUAbHu+uOUv61nue 7DMDhZbLGigb96c6GXgvj/e6MzsKJBJjBr1mV+Kg=
X-Spam-Status OK 0.027
X-Spam-Evidence '*H*': 0.95; '*S*': 0.00; 'password)': 0.09; 'received:80.91': 0.09; 'received:80.91.229': 0.09; 'received:gmane.org': 0.09; 'received:list': 0.09; '"it\'s': 0.16; 'banks.': 0.16; 'decade,': 0.16; 'from:name:christian heimes': 0.16; 'outdated': 0.16; 'received:80.91.229.3': 0.16; 'received:plane.gmane.org': 0.16; 'subject:Password': 0.16; 'subject:issue': 0.16; 'subject:security': 0.16; 'from:addr:python.org': 0.16; 'wrote:': 0.18; 'mechanism': 0.19; 'saying': 0.22; 'header:User-Agent:1': 0.23; 'source': 0.25; 'least': 0.26; 'header:X-Complaints-To:1': 0.27; 'header:In-Reply- To:1': 0.27; 'point': 0.28; 'chris': 0.29; 'totally': 0.33; 'problem': 0.35; 'but': 0.35; 'passwords': 0.36; 'christian': 0.38; 'to:addr:python-list': 0.38; 'itself': 0.39; 'to:addr:python.org': 0.39; 'received:org': 0.40; 'algorithms': 0.60; 'experts': 0.60; 'more': 0.64; 'secure': 0.71; 'increase': 0.74; 'low': 0.83; '15+': 0.84; 'insecure': 0.84; 'ksa': 0.84; 'received:89': 0.85; 'passwords,': 0.91; 'taught': 0.96
X-Injected-Via-Gmane http://gmane.org/
To python-list@python.org
From Christian Heimes <christian@python.org>
Subject Re: Password validation security issue
Date Sun, 02 Mar 2014 20:25:24 +0100
References <09f43567-779e-4d01-8621-c4eb36354d99@googlegroups.com> <CAPTjJmqCTLqXgmHMm2QGYJB1MmYEnhMV3OGe0jPc_UOoUQ9gQA@mail.gmail.com> <let920$fmn$1@ger.gmane.org> <CAPTjJmq0MYQugUnsL52ZN0um=V3iABHmM4+vsffD=+2YV7t=MA@mail.gmail.com> <letdt5$1g3$1@ger.gmane.org> <CAPTjJmra0AjHYjk3G+2mSgsewpX0qcmcKpQtqnebHXsQfT2YqQ@mail.gmail.com>
Mime-Version 1.0
Content-Type text/plain; charset=ISO-8859-1
Content-Transfer-Encoding 7bit
X-Gmane-NNTP-Posting-Host 89.204.138.215
User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
In-Reply-To <CAPTjJmra0AjHYjk3G+2mSgsewpX0qcmcKpQtqnebHXsQfT2YqQ@mail.gmail.com>
X-Enigmail-Version 1.5.2
X-BeenThere python-list@python.org
X-Mailman-Version 2.1.15
Precedence list
List-Id General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive <http://mail.python.org/pipermail/python-list/>
List-Post <mailto:python-list@python.org>
List-Help <mailto:python-list-request@python.org?subject=help>
List-Subscribe <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups comp.lang.python
Message-ID <mailman.7592.1393788339.18130.python-list@python.org> (permalink)
Lines 19
NNTP-Posting-Host 2001:888:2000:d::a6
X-Trace 1393788339 news.xs4all.nl 2935 [2001:888:2000:d::a6]:35241
X-Complaints-To abuse@xs4all.nl
Xref csiph.com comp.lang.python:67462

Show key headers only | View raw

On 01.03.2014 21:11, Chris Angelico wrote:
> The problem isn't SHA-256. The problem is insecure passwords, the way
> we've been taught to make them by the banks. Hence, XKCD 936.

Your argumentation is just wrong. You are saying "It's OK to use a
totally insecure way to hash passwords because passwords are insecure".
The point of KDF and KSA is to derive some token from a low entropy
source (human input) that makes an attack harder. Please do your reading
and trust secure experts on algorithms like PBKDF2, bcrypt and
scrypt. hash(salt + password) is outdated and proven to be insecure for
at least a decade, more like 15+ years.

The concept of passwords itself is insecure. But we are stuck with
passwords for authentication mechanism for the foreseeable future. 2FA
is an attempt to increase the security of passwords-based authentication
schemes.

Christian

Back to comp.lang.python | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

Password validation security issue Renato <rvernucio@gmail.com> - 2014-03-01 09:49 -0800
  Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 05:11 +1100
  Re: Password validation security issue Christian Heimes <christian@python.org> - 2014-03-01 19:31 +0100
  Re: Password validation security issue Tim Chase <python.list@tim.thechases.com> - 2014-03-01 12:38 -0600
  Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 05:43 +1100
  Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 05:45 +1100
  Re: Password validation security issue Christian Heimes <christian@python.org> - 2014-03-01 20:54 +0100
    Re: Password validation security issue Roy Smith <roy@panix.com> - 2014-03-01 15:25 -0500
      Re: Password validation security issue Christian Heimes <christian@python.org> - 2014-03-01 23:07 +0100
      Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 09:13 +1100
  Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 07:11 +1100
  Re: Password validation security issue Christian Heimes <christian@python.org> - 2014-03-02 20:25 +0100
    Re: Password validation security issue Roy Smith <roy@panix.com> - 2014-03-02 15:01 -0500
      Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-03 07:32 +1100
      Re: Password validation security issue Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-03-03 01:16 +0000
        Re: Password validation security issue Ian Kelly <ian.g.kelly@gmail.com> - 2014-03-02 18:52 -0700
          Re: Password validation security issue Steven D'Aprano <steve@pearwood.info> - 2014-03-03 04:38 +0000
            Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-03 16:44 +1100
            Re: Password validation security issue Ian Kelly <ian.g.kelly@gmail.com> - 2014-03-02 23:50 -0700
        Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-03 13:56 +1100
          Re: Password validation security issue Roy Smith <roy@panix.com> - 2014-03-03 08:41 -0500
            Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-04 00:55 +1100
              Re: Password validation security issue Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-03-03 16:46 +0000
                Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-04 05:46 +1100
            Re: Password validation security issue MRAB <python@mrabarnett.plus.com> - 2014-03-03 16:29 +0000
            Re: Password validation security issue Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-03-03 17:41 +0000
  Re: Password validation security issue Renato <rvernucio@gmail.com> - 2014-03-02 15:10 -0800
    Re: Password validation security issue Ian Kelly <ian.g.kelly@gmail.com> - 2014-03-02 18:49 -0700
    Re: Password validation security issue Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-03-03 02:30 +0000

csiph-web