On Tue, Jul 3, 2012 at 11:53 AM, Kushal Kumaran <kushal.kumaran+pyt...@gmail.com> wrote: > On Sat, Jun 30, 2012 at 3:34 PM, Alister <alister.w...@ntlworld.com> wrote: >> On Fri, 29 Jun 2012 09:03:22 -0600, Littlefield, Tyler wrote: >> >>> On 6/29/2012 1:31 AM, Steven D'Aprano wrote: >>>> On Thu, 28 Jun 2012 20:58:15 -0700, alex23 wrote: >>>> >>>>> On Jun 29, 12:57 pm, "Littlefield, Tyler" <ty...@tysdomain.com> wrote: >>>>>> I was curious if someone wouldn't mind poking at some code. The >>>>>> project page is at:http://code.google.com/p/pymud Any information is >>>>>> greatly appreciated. >>>>> I couldn't find any actual code at that site, the git repository is >>>>> currently empty. >>> >>> OOPS, sorry. Apparently I'm not as good with git as I thought. >>> Everything's in the repo now. >> >> I think I may be on firmer grounds with the next few: >> >> isValidPassword can be simplified to >> >> def isValidPassword(password: >> count=len(password) >> return count>= mud.minpass and count<= mud.maxpass >> > > I haven't actually seen the rest of the code, but I would like to > point out that applications placing maximum length limits on passwords > are extremely annoying.
They're annoying when the maximum length is unreasonably small, but you have to have a maximum length to close off one DoS attack vector. Without a limit, if a "user" presents a 1 GB password, then guess what? Your system has to hash that GB of data before it can reject it. And if you're serious about security then it will be a cryptographic hash, and that means slow. To prevent that, the system needs to reject outright password attempts that are longer than some predetermined reasonable length, and if the system won't authenticate those passwords, then it can't allow the user to set them either. Cheers, Ian -- http://mail.python.org/mailman/listinfo/python-list