Re: Password validation security issue

Path	csiph.com!usenet.pasdenom.info!gegeweb.org!usenet-fr.net!nerim.net!novso.com!newsfeed.xs4all.nl!newsfeed2a.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail
Return-Path	<ian.g.kelly@gmail.com>
X-Original-To	python-list@python.org
Delivered-To	python-list@mail.python.org
X-Spam-Status	OK 0.046
X-Spam-Evidence	'H': 0.91; 'S': 0.00; 'causing': 0.04; 'attack.': 0.09; 'indication': 0.09; 'reason.': 0.16; 'subject:Password': 0.16; 'subject:issue': 0.16; 'subject:security': 0.16; 'all.': 0.16; 'wrote:': 0.18; 'certain': 0.27; 'header:In-Reply-To:1': 0.27; 'chris': 0.29; 'characters': 0.30; 'dos': 0.30; 'sets': 0.30; 'message-id:@mail.gmail.com': 0.30; 'usually': 0.31; 'received:google.com': 0.35; 'passwords': 0.36; 'being': 0.38; 'depends': 0.38; 'to:addr:python-list': 0.38; 'pm,': 0.38; 'anything': 0.39; 'bad': 0.39; 'to:addr:python.org': 0.39; 'users': 0.40; 'problems.': 0.60; 'length': 0.61; 'maximum': 0.63; 'mar': 0.68; 'limit': 0.70; 'opens': 0.91
DKIM-Signature	v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=U47NJWJViLgvuB/lwkGgTXVqBfySiHHod/s2gIsG4oQ=; b=yA630nRpjCUl6rR12aePmmGCObpYPaCk6mRDVFjAOoYyjy19ZQCRgqe5jMOLaYEJeS smfZLNCDSQ5r/ow/oCusPZcwyoBfzQG/Blx2NS9B8TpD3XzzXKrO+sm/3dRcsf7mkatG 3SsVnnyKggMdjmwPS2E3G899/CUOWue1kxyipohRv+IyY1OzR0TusPw6E+a5qELHpofC bF1o1V2D73RmY50tSisUILN2FLlTmqrN9MarA1yzwOV+BHLnvIisK+nDu1haZIRmWAtt O28uEur0t0BZj3BK88yBTSIsJeBs816vjcvBW4a/a7k8P02/lkgn1nO+lNs/7aX0TjUd oq/w==
X-Received	by 10.66.146.105 with SMTP id tb9mr441719pab.157.1393829475906; Sun, 02 Mar 2014 22:51:15 -0800 (PST)
MIME-Version	1.0
In-Reply-To	<CAPTjJmoDRUwDXAFg23pPQqHFhY_N-3dddD_0c8qE0VihD3SnHg@mail.gmail.com>
References	<09f43567-779e-4d01-8621-c4eb36354d99@googlegroups.com> <CAPTjJmqCTLqXgmHMm2QGYJB1MmYEnhMV3OGe0jPc_UOoUQ9gQA@mail.gmail.com> <let920$fmn$1@ger.gmane.org> <CAPTjJmq0MYQugUnsL52ZN0um=V3iABHmM4+vsffD=+2YV7t=MA@mail.gmail.com> <letdt5$1g3$1@ger.gmane.org> <CAPTjJmra0AjHYjk3G+2mSgsewpX0qcmcKpQtqnebHXsQfT2YqQ@mail.gmail.com> <mailman.7592.1393788339.18130.python-list@python.org> <roy-5B94F1.15010902032014@news.panix.com> <5313d7fe$0$29985$c3e8da3$5496439d@news.astraweb.com> <mailman.7618.1393814245.18130.python-list@python.org> <53140749$0$2923$c3e8da3$76491128@news.astraweb.com> <CAPTjJmoDRUwDXAFg23pPQqHFhY_N-3dddD_0c8qE0VihD3SnHg@mail.gmail.com>
From	Ian Kelly <ian.g.kelly@gmail.com>
Date	Sun, 2 Mar 2014 23:50:35 -0700
Subject	Re: Password validation security issue
To	Python <python-list@python.org>
Content-Type	text/plain; charset=ISO-8859-1
X-BeenThere	python-list@python.org
X-Mailman-Version	2.1.15
Precedence	list
List-Id	General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe	<https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive	<http://mail.python.org/pipermail/python-list/>
List-Post	<mailto:python-list@python.org>
List-Help	<mailto:python-list-request@python.org?subject=help>
List-Subscribe	<https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups	comp.lang.python
Message-ID	<mailman.7625.1393829478.18130.python-list@python.org> (permalink)
Lines	11
NNTP-Posting-Host	2001:888:2000:d::a6
X-Trace	1393829478 news.xs4all.nl 2840 [2001:888:2000:d::a6]:38031
X-Complaints-To	abuse@xs4all.nl
Xref	csiph.com comp.lang.python:67513

Show key headers only | View raw

On Sun, Mar 2, 2014 at 10:44 PM, Chris Angelico <rosuav@gmail.com> wrote:
> Of course, the whole concept depends on being able to use long
> memorable passwords. Any system that sets a maximum password length of
> anything less than about 30-40 characters is causing its users
> problems. There's almost never any reason to set a maximum at all.

Well, there's usually *some* reason.  If you allow your users to set a
100-MB password then your system has to accept and attempt to verify
any 100-MB passwords that might get passed in, which opens you up to a
certain DoS attack.  Setting the limit at 8 characters though is
absurd and a probable indication of bad password handling.

Thread

Password validation security issue Renato <rvernucio@gmail.com> - 2014-03-01 09:49 -0800
  Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 05:11 +1100
  Re: Password validation security issue Christian Heimes <christian@python.org> - 2014-03-01 19:31 +0100
  Re: Password validation security issue Tim Chase <python.list@tim.thechases.com> - 2014-03-01 12:38 -0600
  Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 05:43 +1100
  Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 05:45 +1100
  Re: Password validation security issue Christian Heimes <christian@python.org> - 2014-03-01 20:54 +0100
    Re: Password validation security issue Roy Smith <roy@panix.com> - 2014-03-01 15:25 -0500
      Re: Password validation security issue Christian Heimes <christian@python.org> - 2014-03-01 23:07 +0100
      Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 09:13 +1100
  Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 07:11 +1100
  Re: Password validation security issue Christian Heimes <christian@python.org> - 2014-03-02 20:25 +0100
    Re: Password validation security issue Roy Smith <roy@panix.com> - 2014-03-02 15:01 -0500
      Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-03 07:32 +1100
      Re: Password validation security issue Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-03-03 01:16 +0000
        Re: Password validation security issue Ian Kelly <ian.g.kelly@gmail.com> - 2014-03-02 18:52 -0700
          Re: Password validation security issue Steven D'Aprano <steve@pearwood.info> - 2014-03-03 04:38 +0000
            Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-03 16:44 +1100
            Re: Password validation security issue Ian Kelly <ian.g.kelly@gmail.com> - 2014-03-02 23:50 -0700
        Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-03 13:56 +1100
          Re: Password validation security issue Roy Smith <roy@panix.com> - 2014-03-03 08:41 -0500
            Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-04 00:55 +1100
              Re: Password validation security issue Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-03-03 16:46 +0000
                Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-04 05:46 +1100
            Re: Password validation security issue MRAB <python@mrabarnett.plus.com> - 2014-03-03 16:29 +0000
            Re: Password validation security issue Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-03-03 17:41 +0000
  Re: Password validation security issue Renato <rvernucio@gmail.com> - 2014-03-02 15:10 -0800
    Re: Password validation security issue Ian Kelly <ian.g.kelly@gmail.com> - 2014-03-02 18:49 -0700
    Re: Password validation security issue Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-03-03 02:30 +0000

csiph-web