On 01.03.2014 21:11, Chris Angelico wrote: > The problem isn't SHA-256. The problem is insecure passwords, the way > we've been taught to make them by the banks. Hence, XKCD 936.
Your argumentation is just wrong. You are saying "It's OK to use a totally insecure way to hash passwords because passwords are insecure". The point of KDF and KSA is to derive some token from a low entropy source (human input) that makes an attack harder. Please do your reading and trust secure experts on algorithms like PBKDF2, bcrypt and scrypt. hash(salt + password) is outdated and proven to be insecure for at least a decade, more like 15+ years. The concept of passwords itself is insecure. But we are stuck with passwords for authentication mechanism for the foreseeable future. 2FA is an attempt to increase the security of passwords-based authentication schemes. Christian -- https://mail.python.org/mailman/listinfo/python-list