Path: csiph.com!usenet.pasdenom.info!news.albasani.net!newsfeed.freenet.ag!news2.euro.net!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.001 X-Spam-Evidence: '*H*': 1.00; '*S*': 0.00; 'reject': 0.05; 'repository': 0.05; 'subject:code': 0.07; 'already.': 0.09; 'git': 0.09; 'long)': 0.09; 'slow.': 0.09; 'cc:addr:python-list': 0.10; 'def': 0.10; "wouldn't": 0.11; 'sat,': 0.15; '12:57': 0.16; '>on': 0.16; '>that': 0.16; '>to': 0.16; 'empty.': 0.16; 'grounds': 0.16; 'length,': 0.16; 'limit,': 0.16; 'simplified': 0.16; 'thought.': 0.16; 'wrote:': 0.17; 'thu,': 0.17; '>>>': 0.18; 'code,': 0.18; 'sender:addr:gmail.com': 0.18; 'code.': 0.20; 'variable': 0.20; 'either.': 0.22; 'cc:2**0': 0.23; "haven't": 0.23; 'cc:addr:python.org': 0.25; 'header:In-Reply-To:1': 0.25; 'header :User-Agent:1': 0.26; 'appreciated.': 0.26; 'am,': 0.27; 'guess': 0.27; 'prevent': 0.27; 'dos': 0.27; 'skip:> 10': 0.27; 'small,': 0.27; 'rest': 0.28; 'actual': 0.28; '-0700,': 0.29; '>>>>': 0.29; "d'aprano": 0.29; 'hash': 0.29; 'steven': 0.29; 'url:code': 0.29; 'probably': 0.29; "i'm": 0.29; 'fri,': 0.30; 'at:': 0.31; 'code': 0.31; 'point': 0.31; 'received:209.85.160.46': 0.32; 'curious': 0.33; 'that,': 0.34; "can't": 0.34; 'received:google.com': 0.34; 'project': 0.34; 'pm,': 0.35; "won't": 0.35; 'received:209.85': 0.35; 'next': 0.35; 'but': 0.36; 'received:209': 0.37; 'data': 0.37; 'subject:: ': 0.38; 'some': 0.38; 'page': 0.38; 'skip:" 10': 0.40; 'header:Received:5': 0.40; 'think': 0.40; 'your': 0.60; 'from:no real name:2**0': 0.60; '30,': 0.62; 'close': 0.63; 'maximum': 0.63; 'url:p': 0.63; 'jul': 0.65; "everything's": 0.84; 'limits,': 0.84; 'passwords,': 0.91; 'sorry.': 0.91; 'serious': 0.98 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:references:user-agent:in-reply-to:mime-version:content-type :content-transfer-encoding:subject:from:date:to:cc:message-id; bh=tC7xx8nb0e+1ajH1eOcY90wAkXqqggp3xJ+h7zPoHiA=; b=Ot+ejMtchOC9N+1jCLtWUD9L7k3Q7XtxEHyk62mRjDf2T9yhbBQ7EK09sExjmQi8WS USaVw3CbX6xMhpOJ5lMtuFsGcePWPweEoAtaNOlkOjvYW15xp1ttdl6pz+ustm53r2Bl mKigXLgR9JzOXisyYbw5Bn4Ggp4zQ+vvF4Czst2CyVDEomhU8c1OIqQ33TZlrAP/I8nU FAZD0h5fqcbdbVng5NKCGHHNNJmxF3Q+MCgtM21bgtCAFU8oa8J50Jb6TDLH7E5EFJfP cga3E/zNZubrUy5fMC76/f+QeBD9lJdYMte81um7PltOm1AoScbWkn2jSRf3S6WkcKy2 +5ew== Sender: Kushal Kumaran References: <6c39594f-79cb-4d4f-967e-bbc3f68cdbdf@f8g2000pbf.googlegroups.com> <4fed59b7$0$29978$c3e8da3$5496439d@news.astraweb.com> User-Agent: K-9 Mail for Android In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Subject: Re: code review From: kushal.kumaran+python@gmail.com Date: Wed, 04 Jul 2012 08:27:32 +0530 To: Ian Kelly Cc: Python User X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Newsgroups: comp.lang.python Message-ID: Lines: 60 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1341370664 news.xs4all.nl 6859 [2001:888:2000:d::a6]:48193 X-Complaints-To: abuse@xs4all.nl Xref: csiph.com comp.lang.python:24844 Ian Kelly wrote: >On Tue, Jul 3, 2012 at 11:53 AM, Kushal Kumaran > wrote: >> On Sat, Jun 30, 2012 at 3:34 PM, Alister >wrote: >>> On Fri, 29 Jun 2012 09:03:22 -0600, Littlefield, Tyler wrote: >>> >>>> On 6/29/2012 1:31 AM, Steven D'Aprano wrote: >>>>> On Thu, 28 Jun 2012 20:58:15 -0700, alex23 wrote: >>>>> >>>>>> On Jun 29, 12:57 pm, "Littlefield, Tyler" >wrote: >>>>>>> I was curious if someone wouldn't mind poking at some code. The >>>>>>> project page is at:http://code.google.com/p/pymud Any >information is >>>>>>> greatly appreciated. >>>>>> I couldn't find any actual code at that site, the git repository >is >>>>>> currently empty. >>>> >>>> OOPS, sorry. Apparently I'm not as good with git as I thought. >>>> Everything's in the repo now. >>> >>> I think I may be on firmer grounds with the next few: >>> >>> isValidPassword can be simplified to >>> >>> def isValidPassword(password: >>> count=len(password) >>> return count>= mud.minpass and count<= mud.maxpass >>> >> >> I haven't actually seen the rest of the code, but I would like to >> point out that applications placing maximum length limits on >passwords >> are extremely annoying. > >They're annoying when the maximum length is unreasonably small, but >you have to have a maximum length to close off one DoS attack vector. >Without a limit, if a "user" presents a 1 GB password, then guess >what? Your system has to hash that GB of data before it can reject >it. And if you're serious about security then it will be a >cryptographic hash, and that means slow. > Well, if you waited until you had the password (however long) in a variable before you applied your maximum limits, the DoS ship has probably sailed already. >To prevent that, the system needs to reject outright password attempts >that are longer than some predetermined reasonable length, and if the >system won't authenticate those passwords, then it can't allow the >user to set them either. > >Cheers, >Ian -- regards, kushal