Path: csiph.com!usenet.pasdenom.info!gegeweb.org!usenet-fr.net!nerim.net!novso.com!newsfeed.xs4all.nl!newsfeed2a.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.046 X-Spam-Evidence: '*H*': 0.91; '*S*': 0.00; 'causing': 0.04; 'attack.': 0.09; 'indication': 0.09; 'reason.': 0.16; 'subject:Password': 0.16; 'subject:issue': 0.16; 'subject:security': 0.16; 'all.': 0.16; 'wrote:': 0.18; 'certain': 0.27; 'header:In-Reply-To:1': 0.27; 'chris': 0.29; 'characters': 0.30; 'dos': 0.30; 'sets': 0.30; 'message-id:@mail.gmail.com': 0.30; 'usually': 0.31; 'received:google.com': 0.35; 'passwords': 0.36; 'being': 0.38; 'depends': 0.38; 'to:addr:python-list': 0.38; 'pm,': 0.38; 'anything': 0.39; 'bad': 0.39; 'to:addr:python.org': 0.39; 'users': 0.40; 'problems.': 0.60; 'length': 0.61; 'maximum': 0.63; 'mar': 0.68; 'limit': 0.70; 'opens': 0.91 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=U47NJWJViLgvuB/lwkGgTXVqBfySiHHod/s2gIsG4oQ=; b=yA630nRpjCUl6rR12aePmmGCObpYPaCk6mRDVFjAOoYyjy19ZQCRgqe5jMOLaYEJeS smfZLNCDSQ5r/ow/oCusPZcwyoBfzQG/Blx2NS9B8TpD3XzzXKrO+sm/3dRcsf7mkatG 3SsVnnyKggMdjmwPS2E3G899/CUOWue1kxyipohRv+IyY1OzR0TusPw6E+a5qELHpofC bF1o1V2D73RmY50tSisUILN2FLlTmqrN9MarA1yzwOV+BHLnvIisK+nDu1haZIRmWAtt O28uEur0t0BZj3BK88yBTSIsJeBs816vjcvBW4a/a7k8P02/lkgn1nO+lNs/7aX0TjUd oq/w== X-Received: by 10.66.146.105 with SMTP id tb9mr441719pab.157.1393829475906; Sun, 02 Mar 2014 22:51:15 -0800 (PST) MIME-Version: 1.0 In-Reply-To: References: <09f43567-779e-4d01-8621-c4eb36354d99@googlegroups.com> <5313d7fe$0$29985$c3e8da3$5496439d@news.astraweb.com> <53140749$0$2923$c3e8da3$76491128@news.astraweb.com> From: Ian Kelly Date: Sun, 2 Mar 2014 23:50:35 -0700 Subject: Re: Password validation security issue To: Python Content-Type: text/plain; charset=ISO-8859-1 X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Newsgroups: comp.lang.python Message-ID: Lines: 11 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1393829478 news.xs4all.nl 2840 [2001:888:2000:d::a6]:38031 X-Complaints-To: abuse@xs4all.nl Xref: csiph.com comp.lang.python:67513 On Sun, Mar 2, 2014 at 10:44 PM, Chris Angelico wrote: > Of course, the whole concept depends on being able to use long > memorable passwords. Any system that sets a maximum password length of > anything less than about 30-40 characters is causing its users > problems. There's almost never any reason to set a maximum at all. Well, there's usually *some* reason. If you allow your users to set a 100-MB password then your system has to accept and attempt to verify any 100-MB passwords that might get passed in, which opens you up to a certain DoS attack. Setting the limit at 8 characters though is absurd and a probable indication of bad password handling.