Path: csiph.com!usenet.pasdenom.info!weretis.net!feeder4.news.weretis.net!ecngs!feeder2.ecngs.de!newsfeed.freenet.ag!news2.euro.net!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.004 X-Spam-Evidence: '*H*': 0.99; '*S*': 0.00; 'bytes.': 0.07; 'column': 0.07; 'subject:code': 0.07; '(it': 0.09; 'lengths': 0.09; 'width.': 0.09; 'stored': 0.10; 'bits,': 0.16; 'encodings,': 0.16; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'hashes': 0.16; 'ignores': 0.16; 'letters.': 0.16; 'lowercase': 0.16; 'storing': 0.16; 'wed,': 0.16; 'wrote:': 0.17; 'bytes': 0.17; 'certainly': 0.17; 'accepting': 0.18; 'sort': 0.21; 'received:209.85.214.174': 0.21; 'password.': 0.22; 'example': 0.23; 'dependent': 0.23; 'header:In-Reply-To:1': 0.25; '(which': 0.26; 'am,': 0.27; 'message-id:@mail.gmail.com': 0.27; "doesn't": 0.28; 'consisting': 0.29; 'hash': 0.29; "i'm": 0.29; "aren't": 0.33; 'hopefully': 0.33; 'much.': 0.33; 'passwords': 0.33; 'to:addr:python-list': 0.33; "can't": 0.34; 'received:google.com': 0.34; 'pm,': 0.35; 'table': 0.35; 'received:209.85': 0.35; 'there': 0.35; 'really': 0.36; 'except': 0.36; 'but': 0.36; 'characters': 0.36; 'too': 0.36; 'received:209': 0.37; 'subject:: ': 0.38; 'some': 0.38; 'nothing': 0.38; 'sure': 0.38; 'to:addr:python.org': 0.39; 'received:209.85.214': 0.39; 'easily': 0.39; 'header:Received:5': 0.40; 'your': 0.60; 'john': 0.60; 'most': 0.61; 'please,': 0.62; 'limit': 0.65; 'concerns': 0.65; 'exceed': 0.65; 'jul': 0.65; 'insecure': 0.84; 'limit?': 0.84 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=aUqLAaMUeMUyKqy851vtO4ZA2VV/OSb8qwUYnoAWCCc=; b=nh9Hy3wMH6R6u7TtUwqAClhVUfkZltRQuMC8LjPuF8sLD5+J+xlxFdmkqR1BGGrh9v 1+q4oYqmkvGMWawP1BhQueGQhCp6zPV9magPo/2sKhh7L3vfh2/G+xYqkbcIYV2WL9N+ nNG/Pv0UE+UV17GMhZpqBoDvFzIutqBAlTUQq0Y7eKC6sKSlL3pRK35dOWko6sQk/DDE 1Hma7l6y2SNSSEK+8DBf7YfjFxJfsii1L/VHo+LzkitoQe2EYY7i4hfSARASiopWDfbC eyf/01LMiavQtRFQTsmAdCh5hnEri4orrSZtYH3gNhXQCdJ3Lb4sBzypeclo992lWSGl +BbA== MIME-Version: 1.0 In-Reply-To: References: <6c39594f-79cb-4d4f-967e-bbc3f68cdbdf@f8g2000pbf.googlegroups.com> <4fed59b7$0$29978$c3e8da3$5496439d@news.astraweb.com> Date: Wed, 4 Jul 2012 07:51:18 +1000 Subject: Re: code review From: Chris Angelico To: python-list@python.org Content-Type: text/plain; charset=ISO-8859-1 X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Newsgroups: comp.lang.python Message-ID: Lines: 25 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1341352280 news.xs4all.nl 6878 [2001:888:2000:d::a6]:60315 X-Complaints-To: abuse@xs4all.nl Xref: csiph.com comp.lang.python:24834 On Wed, Jul 4, 2012 at 4:27 AM, Ian Kelly wrote: > On Tue, Jul 3, 2012 at 12:18 PM, John Gordon wrote: >> As a practical matter, doesn't there have to be *some* sort of limit? >> For example if the (encrypted) password is stored in a database, you can't >> exceed the table column width. > > Hopefully you're storing password hashes, not encrypted passwords > (which can all too easily be DEcrypted), and the length of the hash is > not dependent on the length of the password. But yes, there are > certainly practical concerns here. With a hash length of N bits, there's not much use accepting passwords longer than about N/4 or N/2 bytes. (It would be N/8 except that most people don't invent passwords that use the entire available alphabet. And of course, this ignores issues of encodings, but I'm pretty sure all current crypto hashes work with bytes not characters anyway.) But please, don't limit password lengths too much. Make your password system XKCD 936 compliant: http://xkcd.com/936/ Permit long passwords consisting of nothing but lowercase letters. They really aren't as insecure as some people think! ChrisA