On 24/12/2020 12:25, Chris Angelico wrote:
On Thu, Dec 24, 2020 at 9:42 AM dn via Python-list
<python-list@python.org> wrote:
Hang-on though, look at how much 'work' is involved, compared with a
single line of RegEx! Why go to such bother? There's several reasons.
Good question! Look at this alternative:
def validate_password(attempt):
return len(attempt) >= 11
Wow! So much easier. Only one function needed AND it's more secure!
You and I have discussed such topics before @Chris. However, we both
know that if the client specifies something (and we can't moderate
such), we deliver accordingly - per Alfred Lord Tennyson.
What we don't know is the OP's wiggle-room with his/her 'client' - which
may be zero if the 'client' is an assignment-grade!
However, the discussion 'beyond' the OP's immediate question is very
necessary!
A frequent call is to increase the minimum-length of passwords. How
could we do this? Using RegEx, adjust the counter - but which part is
the 'counter'?
In my example here, it's pretty easy to find!
In a 'global definition' block or buried in the code-base?
If our ambitions include dreams of 'world domination', then we can
extend exactly the same idea of "rule" to the other three routines!
Whilst we 'start' with (say) the ASCII character definitions of a-z, we
will *be able* to extend into accented characters such as "ô" - which
really would promote us to take a rôle on the world-stage.
(hah!)
Wow! It wins on that too! And even better - it counts Cyrillic letters
as letters, it counts Greek letters as letters, and it counts Arabic
letters as letters too! Isn't it so much easier than a regex?
- but wouldn't you agree that
attempt == "x"*12
is no safer than "xxxx"? So, maybe a length-rule without any other
consideration is 'weak-beer'?
(speaking of beer, and for the benefit of non-Australians, and people
everywhere who did learn their abc-s, "xxxx" is how @Chris spells "beer"!)
NB probably not suitable for office-viewing:
https://www.youtube.com/watch?v=mtwkDGlpWJk - cheers @Chris!
Speaking of Australian humor:-
If we're going to be nice to our users, from where do we express these
"rules"? If the rule is hard-coded, then the user-advice must also be
hard-coded - and what do we say about having 'the same code' in multiple
locations? (see also "DRY principle"). How could one state "the rules"
*once*, and in such a fashion that they can be used for UX output and a
RegEx?
Very very good point. I think "Passwords must be at least eleven
characters long" is a problem, because you would need to *manually*
translate the number "11" into the word "eleven". So the best way
would be to use "Passwords must be at least {minlength} characters
long" and then you know that it's going to correlate.
Now you're just being plain mischievous!
Second UX-consideration (and its a 'biggie'!): if a password 'fails',
how can we take the 'result' from a large and complex RegEx, and explain
to the user which [multiple] of the five requirements was/were not met?
A failure in the RegEx above tells the system not to proceed, but
doesn't tell the user is a letter is missing, a digit, ...
True, very true. Once again, a win for simplicity: with only one rule,
it's easy to know which one you ran up against.
The 'one rule' I try to live-by, is not to attempt 'important stuff' in
which I have insufficient knowledge*. Rather than strain my brain (and
spend an inordinate amount of time) deciding if/how to authenticate and
authorise users, and then coding same, I'd rather pass the task to a
TechSec specialist!
* which *may* make me seem less like Dilbert, and more Wally
https://en.wikipedia.org/wiki/List_of_Dilbert_characters
--
Regards =dn
--
https://mail.python.org/mailman/listinfo/python-list
