code review

Ian Kelly ian.g.kelly at gmail.com
Tue Jul 3 20:19:25 CEST 2012


On Tue, Jul 3, 2012 at 11:53 AM, Kushal Kumaran
<kushal.kumaran+python at gmail.com> wrote:
> On Sat, Jun 30, 2012 at 3:34 PM, Alister <alister.ware at ntlworld.com> wrote:
>> On Fri, 29 Jun 2012 09:03:22 -0600, Littlefield, Tyler wrote:
>>
>>> On 6/29/2012 1:31 AM, Steven D'Aprano wrote:
>>>> On Thu, 28 Jun 2012 20:58:15 -0700, alex23 wrote:
>>>>
>>>>> On Jun 29, 12:57 pm, "Littlefield, Tyler" <ty... at tysdomain.com> wrote:
>>>>>> I was curious if someone wouldn't mind poking at some code. The
>>>>>> project page is at:http://code.google.com/p/pymud Any information is
>>>>>> greatly appreciated.
>>>>> I couldn't find any actual code at that site, the git repository is
>>>>> currently empty.
>>>
>>> OOPS, sorry. Apparently I'm not as good with git as I thought.
>>> Everything's in the repo now.
>>
>> I think I may be on firmer grounds with the next few:
>>
>> isValidPassword can be simplified to
>>
>> def isValidPassword(password:
>>         count=len(password)
>>         return count>= mud.minpass and count<= mud.maxpass
>>
>
> I haven't actually seen the rest of the code, but I would like to
> point out that applications placing maximum length limits on passwords
> are extremely annoying.

They're annoying when the maximum length is unreasonably small, but
you have to have a maximum length to close off one DoS attack vector.
Without a limit, if a "user" presents a 1 GB password, then guess
what?  Your system has to hash that GB of data before it can reject
it.  And if you're serious about security then it will be a
cryptographic hash, and that means slow.

To prevent that, the system needs to reject outright password attempts
that are longer than some predetermined reasonable length, and if the
system won't authenticate those passwords, then it can't allow the
user to set them either.

Cheers,
Ian



More information about the Python-list mailing list