Path: csiph.com!newsfeed.hal-mli.net!feeder3.hal-mli.net!newsfeed.hal-mli.net!feeder1.hal-mli.net!newsfeed.xs4all.nl!newsfeed1.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=python.org; s=200901; t=1393788339; bh=j8uwdgVbf7Go1PO50Ih/TLddwqCdEqEUzjDbMLTxvxI=; h=To:From:Subject:Date:References:In-Reply-To:From; b=GTRmAr7SDeFMUAcsYuH9hgFJYpfV3PR24K+gEZrLXrmU3k5EDBzh2qjXEciXRQM4M lxyauLOyLP75Q89/gR9Cy+FR5xvPhcJgDY9DmWkjMniMllTM7rMUAbHu+uOUv61nue 7DMDhZbLGigb96c6GXgvj/e6MzsKJBJjBr1mV+Kg= X-Spam-Status: OK 0.027 X-Spam-Evidence: '*H*': 0.95; '*S*': 0.00; 'password)': 0.09; 'received:80.91': 0.09; 'received:80.91.229': 0.09; 'received:gmane.org': 0.09; 'received:list': 0.09; '"it\'s': 0.16; 'banks.': 0.16; 'decade,': 0.16; 'from:name:christian heimes': 0.16; 'outdated': 0.16; 'received:80.91.229.3': 0.16; 'received:plane.gmane.org': 0.16; 'subject:Password': 0.16; 'subject:issue': 0.16; 'subject:security': 0.16; 'from:addr:python.org': 0.16; 'wrote:': 0.18; 'mechanism': 0.19; 'saying': 0.22; 'header:User-Agent:1': 0.23; 'source': 0.25; 'least': 0.26; 'header:X-Complaints-To:1': 0.27; 'header:In-Reply- To:1': 0.27; 'point': 0.28; 'chris': 0.29; 'totally': 0.33; 'problem': 0.35; 'but': 0.35; 'passwords': 0.36; 'christian': 0.38; 'to:addr:python-list': 0.38; 'itself': 0.39; 'to:addr:python.org': 0.39; 'received:org': 0.40; 'algorithms': 0.60; 'experts': 0.60; 'more': 0.64; 'secure': 0.71; 'increase': 0.74; 'low': 0.83; '15+': 0.84; 'insecure': 0.84; 'ksa': 0.84; 'received:89': 0.85; 'passwords,': 0.91; 'taught': 0.96 X-Injected-Via-Gmane: http://gmane.org/ To: python-list@python.org From: Christian Heimes Subject: Re: Password validation security issue Date: Sun, 02 Mar 2014 20:25:24 +0100 References: <09f43567-779e-4d01-8621-c4eb36354d99@googlegroups.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Gmane-NNTP-Posting-Host: 89.204.138.215 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 In-Reply-To: X-Enigmail-Version: 1.5.2 X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Newsgroups: comp.lang.python Message-ID: Lines: 19 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1393788339 news.xs4all.nl 2935 [2001:888:2000:d::a6]:35241 X-Complaints-To: abuse@xs4all.nl Xref: csiph.com comp.lang.python:67462 On 01.03.2014 21:11, Chris Angelico wrote: > The problem isn't SHA-256. The problem is insecure passwords, the way > we've been taught to make them by the banks. Hence, XKCD 936. Your argumentation is just wrong. You are saying "It's OK to use a totally insecure way to hash passwords because passwords are insecure". The point of KDF and KSA is to derive some token from a low entropy source (human input) that makes an attack harder. Please do your reading and trust secure experts on algorithms like PBKDF2, bcrypt and scrypt. hash(salt + password) is outdated and proven to be insecure for at least a decade, more like 15+ years. The concept of passwords itself is insecure. But we are stuck with passwords for authentication mechanism for the foreseeable future. 2FA is an attempt to increase the security of passwords-based authentication schemes. Christian