Path: csiph.com!usenet.pasdenom.info!aioe.org!news.stack.nl!newsfeed.xs4all.nl!newsfeed5.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail
Return-Path: <ian.g.kelly@gmail.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.003
X-Spam-Evidence: '*H*': 0.99; '*S*': 0.00; 'reject': 0.05; 'repository': 0.05; 'subject:code': 0.07; 'git': 0.09; 'slow.': 0.09; 'cc:addr:python-list': 0.10; 'def': 0.10; "wouldn't": 0.11; 'sat,': 0.15; '12:57': 0.16; 'empty.': 0.16; 'grounds': 0.16; 'length,': 0.16; 'limit,': 0.16; 'simplified': 0.16; 'thought.': 0.16; 'wrote:': 0.17; 'thu,': 0.17; '>>>': 0.18; 'code,': 0.18; 'code.': 0.20; 'either.': 0.22; 'cheers,': 0.23; 'cc:2**0': 0.23; "haven't": 0.23; 'cc:addr:python.org': 0.25; 'header:In-Reply- To:1': 0.25; 'appreciated.': 0.26; 'am,': 0.27; 'guess': 0.27; 'prevent': 0.27; 'dos': 0.27; 'small,': 0.27; 'message- id:@mail.gmail.com': 0.27; 'rest': 0.28; 'actual': 0.28; '-0700,': 0.29; '>>>>': 0.29; "d'aprano": 0.29; 'hash': 0.29; 'steven': 0.29; 'url:code': 0.29; "i'm": 0.29; 'fri,': 0.30; 'at:': 0.31; 'code': 0.31; 'point': 0.31; 'curious': 0.33; 'passwords': 0.33; 'that,': 0.34; "can't": 0.34; 'received:google.com': 0.34; 'project': 0.34; 'pm,': 0.35; "won't": 0.35; 'received:209.85': 0.35; 'next': 0.35; 'but': 0.36; 'received:209': 0.37; 'data': 0.37; 'subject:: ': 0.38; 'some': 0.38; 'page': 0.38; 'skip:" 10': 0.40; 'header:Received:5': 0.40; 'think': 0.40; 'your': 0.60; '30,': 0.62; 'close': 0.63; 'maximum': 0.63; 'url:p': 0.63; 'information': 0.63; 'jul': 0.65; "everything's": 0.84; 'passwords,': 0.91; 'sorry.': 0.91; 'serious': 0.98
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=U6zTCESTwbCoBivjZ/SShF3jvlcJENAV4GRyw+Bc55c=; b=NfA3D6EAC3gNLFQBWTHl+ZLo9Br8V0YXgbxOtypX0cKzh+AIxamC4SyUzJ0cp6pZ7B KdWMPBND0HF6Cf94rTYlXuE9G+OT6untCMR/wX3xqtuQWjbUNCbUGz2OmHOzCl/KcAIA Swooz+GIbhKcx3yEu+7wmzuOiwnOVUmDwjkOcb4JzGmTheF/7DHlSUHRHTXN7ywlqnQV iMynmLAz6FSZ5/PqwZjTHdNM5lE2NW91sSNydWKeaOMod+UzR9gpz/FQ3MCOk+DKMnDX QsnzhQwp3vYIJJ+l9wW8loT5Zu/bw41euDiMWyzMwytgPYCVHkmj08zKT3hLKuUKV6wA uqTQ==
MIME-Version: 1.0
In-Reply-To: <CAH8GtdMUdrpK=O5fXSBs1Xn8CmA4qZiCqN8+PJ=CZnv8jJCYUg@mail.gmail.com>
References: <mailman.1623.1340939177.4697.python-list@python.org> <6c39594f-79cb-4d4f-967e-bbc3f68cdbdf@f8g2000pbf.googlegroups.com> <4fed59b7$0$29978$c3e8da3$5496439d@news.astraweb.com> <mailman.1631.1340982202.4697.python-list@python.org> <EaAHr.369967$of1.132220@fx06.am4> <CAH8GtdMUdrpK=O5fXSBs1Xn8CmA4qZiCqN8+PJ=CZnv8jJCYUg@mail.gmail.com>
From: Ian Kelly <ian.g.kelly@gmail.com>
Date: Tue, 3 Jul 2012 12:19:25 -0600
Subject: Re: code review
To: Kushal Kumaran <kushal.kumaran+python@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Cc: Python User <python-list@python.org>
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <http://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <http://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups: comp.lang.python
Message-ID: <mailman.1754.1341339597.4697.python-list@python.org>
Lines: 45
NNTP-Posting-Host: 2001:888:2000:d::a6
X-Trace: 1341339597 news.xs4all.nl 6884 [2001:888:2000:d::a6]:44193
X-Complaints-To: abuse@xs4all.nl
Xref: csiph.com comp.lang.python:24829

On Tue, Jul 3, 2012 at 11:53 AM, Kushal Kumaran
<kushal.kumaran+python@gmail.com> wrote:
> On Sat, Jun 30, 2012 at 3:34 PM, Alister <alister.ware@ntlworld.com> wrote:
>> On Fri, 29 Jun 2012 09:03:22 -0600, Littlefield, Tyler wrote:
>>
>>> On 6/29/2012 1:31 AM, Steven D'Aprano wrote:
>>>> On Thu, 28 Jun 2012 20:58:15 -0700, alex23 wrote:
>>>>
>>>>> On Jun 29, 12:57 pm, "Littlefield, Tyler" <ty...@tysdomain.com> wrote:
>>>>>> I was curious if someone wouldn't mind poking at some code. The
>>>>>> project page is at:http://code.google.com/p/pymud Any information is
>>>>>> greatly appreciated.
>>>>> I couldn't find any actual code at that site, the git repository is
>>>>> currently empty.
>>>
>>> OOPS, sorry. Apparently I'm not as good with git as I thought.
>>> Everything's in the repo now.
>>
>> I think I may be on firmer grounds with the next few:
>>
>> isValidPassword can be simplified to
>>
>> def isValidPassword(password:
>>         count=len(password)
>>         return count>= mud.minpass and count<= mud.maxpass
>>
>
> I haven't actually seen the rest of the code, but I would like to
> point out that applications placing maximum length limits on passwords
> are extremely annoying.

They're annoying when the maximum length is unreasonably small, but
you have to have a maximum length to close off one DoS attack vector.
Without a limit, if a "user" presents a 1 GB password, then guess
what?  Your system has to hash that GB of data before it can reject
it.  And if you're serious about security then it will be a
cryptographic hash, and that means slow.

To prevent that, the system needs to reject outright password attempts
that are longer than some predetermined reasonable length, and if the
system won't authenticate those passwords, then it can't allow the
user to set them either.

Cheers,
Ian