Re: Another security question

On Sat, 24 Dec 2016 06:38 pm, Chris Angelico wrote: > weak passwords are ultimately the user's > responsibility I suppose that's true, in the same way that not getting sewerage into the drinking water supply is also ultimately the user's responsibility. You forget that weak passwords don't

Re: Another security question

Chris Angelico writes: > as a sysadmin, I have lots of control over the hashing, and very > little on passwords. I could enforce a minimum password length, but I > can't prevent password reuse, and I can't do much about the other > forms of weak passwords. Right, 2FA helps with

Re: Another security question

"Frank Millman" wrote in message news:o3lcfk$pah$1...@blaine.gmane.org... By the way, I have realised how I ended up getting sidetracked by Blake2 in the first place. If you call up the online documentation for Python3.6 and select modules>h> hashlib, it takes you straight to 15.2.

Re: Another security question

"Steve D'Aprano" wrote in message news:585d57d5$0$1587$c3e8da3$54964...@news.astraweb.com... There is a stdlib PBKDF2. If you want to avoid third-party dependencies, use that. https://docs.python.org/3.4/library/hashlib.html#hashlib.pbkdf2_hmac Thanks for the pointer. From the docs -

Re: Another security question

On Sat, Dec 24, 2016 at 7:08 PM, Paul Rubin wrote: > Chris Angelico writes: >> Correct. However, weak passwords are ultimately the user's >> responsibility, where the hashing is the server's responsibility. > > No, really, the users are part of the

Re: Another security question

Chris Angelico writes: > Correct. However, weak passwords are ultimately the user's > responsibility, where the hashing is the server's responsibility. No, really, the users are part of the system and therefore the system designer must take the expected behavior of actual users

Re: Another security question

Steve D'Aprano writes: > You say that as if two-factor auth was a panacea. Of course it's not a panacea, but it helps quite a lot. > That's the sort of thinking that leads to: ... Beyond that, web browsers are the new Microsoft Windows with all of its security holes

Re: Another security question

Steve D'Aprano : > https://www.schneier.com/blog/archives/2005/10/scandinavian_at_1.html EDITED TO ADD: Here's a related story. The Bank of New Zealand suspended Internet banking because of phishing concerns. Now there's a company that is taking the threat

Re: Another security question

On Sat, Dec 24, 2016 at 6:18 PM, Paul Rubin wrote: > Chris Angelico writes: >> Solution: Don't use dictionary-attackable passwords. > > If you allow people to choose their own passwords, they'll too-often > pick dictionary-attackable ones; or even if

Re: Another security question

Chris Angelico writes: > Solution: Don't use dictionary-attackable passwords. If you allow people to choose their own passwords, they'll too-often pick dictionary-attackable ones; or even if they choose difficult ones, they'll use them in more than one place, and eventually

Re: Another security question

On Sat, Dec 24, 2016 at 12:32 PM, Steve D'Aprano wrote: > not to mention the abomination of "one factor authentication, twice", like > that used by the Australian government unified web portal. To log in, you > have to provide something you know (username and

Re: Another security question

On Sat, 24 Dec 2016 11:20 am, Paul Rubin wrote: > What is it that you are trying to secure?  If it's something important, > set up 2-factor authentication (such as TOTP) and encourage your users > to use it. You say that as if two-factor auth was a panacea. That's the sort of thinking that

Re: Another security question

On Sat, Dec 24, 2016 at 11:20 AM, Paul Rubin wrote: > The basic problem is those functions are fast enough to make dictionary > attacks feasible. The preferred password hashing function these days is > Argon2, which has some tunable security parameters: Solution: Don't

Re: Another security question

> "Salted hashing (or just hashing) with BLAKE2 or any other > general-purpose cryptographic hash function, such as SHA-256, is not > suitable for hashing passwords. See BLAKE2 FAQ for more information." > > I propose to ignore this warning. I feel that, for my purposes, the > above procedure is

Re: Another security question

On Sat, Dec 24, 2016 at 3:58 AM, Steve D'Aprano wrote: > By the way, thanks for raising this interesting question! This is exactly > the sort of thing that the secrets module is supposed to make a "no > brainer", so I expect that it will get a password hash function.

Re: Another security question

On Fri, 23 Dec 2016 10:08 pm, Frank Millman wrote: > "Steve D'Aprano" wrote in message > news:585d009f$0$1599$c3e8da3$54964...@news.astraweb.com... >> >> On Fri, 23 Dec 2016 09:19 pm, Frank Millman wrote: >> >> > >> > 3. Generate the password from the string supplied by the user as >> > follows

Re: Another security question

"Chris Angelico" wrote in message news:captjjmpppgm+_ut_amtnb7vgo0vrgptu6iagyjqwvpxg5yp...@mail.gmail.com... On Fri, Dec 23, 2016 at 9:19 PM, Frank Millman wrote: > 3. Generate the password from the string supplied by the user as > follows - >from hashlib import

Re: Another security question

"Frank Millman" writes: > ... Here are my thoughts on improving this. > > 1. Generate a 'salt' for each password. There seem to be two ways in > the standard library to do this - >import os >salt = os.urandom(16) > >import secrets >salt =

Re: Another security question

On Fri, Dec 23, 2016 at 9:19 PM, Frank Millman wrote: > At present I just store a SHA-1 hash of the password for each user. Here are > my thoughts on improving this. > > 1. Generate a 'salt' for each password. There seem to be two ways in the > standard library to do this - >

Re: Another security question

"Steve D'Aprano" wrote in message news:585d009f$0$1599$c3e8da3$54964...@news.astraweb.com... On Fri, 23 Dec 2016 09:19 pm, Frank Millman wrote: > > 3. Generate the password from the string supplied by the user as > follows - > from hashlib import blake2b > password =

Re: Another security question

On Fri, 23 Dec 2016 09:19 pm, Frank Millman wrote: [...] > Having read the previous thread and various links, I want to review the > way I handle passwords in my accounting application. > > At present I just store a SHA-1 hash of the password for each user. Here > are my thoughts on improving

Another security question

Hi all This is a follow-up to my recent 'security question' post. I am starting a new thread, for 2 reasons - 1) I sent a link to the previous thread to my ISP for their information. It is up to them whether they do anything with it, but I wanted to keep that thread focused on the original