Ian Kelly <ian.g.ke...@gmail.com> wrote: >On Tue, Jul 3, 2012 at 11:53 AM, Kushal Kumaran ><kushal.kumaran+pyt...@gmail.com> wrote: >> On Sat, Jun 30, 2012 at 3:34 PM, Alister <alister.w...@ntlworld.com> >wrote: >>> On Fri, 29 Jun 2012 09:03:22 -0600, Littlefield, Tyler wrote: >>> >>>> On 6/29/2012 1:31 AM, Steven D'Aprano wrote: >>>>> On Thu, 28 Jun 2012 20:58:15 -0700, alex23 wrote: >>>>> >>>>>> On Jun 29, 12:57 pm, "Littlefield, Tyler" <ty...@tysdomain.com> >wrote: >>>>>>> I was curious if someone wouldn't mind poking at some code. The >>>>>>> project page is at:http://code.google.com/p/pymud Any >information is >>>>>>> greatly appreciated. >>>>>> I couldn't find any actual code at that site, the git repository >is >>>>>> currently empty. >>>> >>>> OOPS, sorry. Apparently I'm not as good with git as I thought. >>>> Everything's in the repo now. >>> >>> I think I may be on firmer grounds with the next few: >>> >>> isValidPassword can be simplified to >>> >>> def isValidPassword(password: >>> count=len(password) >>> return count>= mud.minpass and count<= mud.maxpass >>> >> >> I haven't actually seen the rest of the code, but I would like to >> point out that applications placing maximum length limits on >passwords >> are extremely annoying. > >They're annoying when the maximum length is unreasonably small, but >you have to have a maximum length to close off one DoS attack vector. >Without a limit, if a "user" presents a 1 GB password, then guess >what? Your system has to hash that GB of data before it can reject >it. And if you're serious about security then it will be a >cryptographic hash, and that means slow. >
Well, if you waited until you had the password (however long) in a variable before you applied your maximum limits, the DoS ship has probably sailed already. >To prevent that, the system needs to reject outright password attempts >that are longer than some predetermined reasonable length, and if the >system won't authenticate those passwords, then it can't allow the >user to set them either. > >Cheers, >Ian -- regards, kushal -- http://mail.python.org/mailman/listinfo/python-list
