The default auth.form.AuthenticationForm() did not set a max_length for the
password field:
https://github.com/django/django/blob/72f6513ebaa7a3fd43c26300e9a8c430dc07cdb5/django/contrib/auth/forms.py#L120-L126
Ok there is not really a max_length constraint. Because in the end the
auth.models.User must only store the hash value.
The available hashers will consume more RAM if the password is very long. (The
CPU usage is very similar to a short password)
Only if the server has a POST data limit, the password size is limited. But it
seems that POST limits are not set or very large on default installations...
On the other side: I didn't see any side effects with a limitation e.g.:
max_length=1024
Another thing: The auth.models.AbstractUser has the 'username' field with
max_length=30 and validators.RegexValidator(r'^[\w.@+-]+$',...)
The AuthenticationForm has max_length=254 and no validator...
IMHO one principle is: Validate incoming data as soon as possible, isn't it?
Next thing is "auth.signals.user_login_failed"
This signal will only fired if the auth backends was called.
IMHO it should be called on every failed login. Also if the form is not valid.
--
Mfg.
Jens Diemer
----
http://www.jensdiemer.de
--
You received this message because you are subscribed to the Google Groups "Django
developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at http://groups.google.com/group/django-developers.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/mis98k%24n71%241%40ger.gmane.org.
For more options, visit https://groups.google.com/d/optout.
