code review

Chris Angelico rosuav at gmail.com
Tue Jul 3 23:51:18 CEST 2012


On Wed, Jul 4, 2012 at 4:27 AM, Ian Kelly <ian.g.kelly at gmail.com> wrote:
> On Tue, Jul 3, 2012 at 12:18 PM, John Gordon <gordon at panix.com> wrote:
>> As a practical matter, doesn't there have to be *some* sort of limit?
>> For example if the (encrypted) password is stored in a database, you can't
>> exceed the table column width.
>
> Hopefully you're storing password hashes, not encrypted passwords
> (which can all too easily be DEcrypted), and the length of the hash is
> not dependent on the length of the password.  But yes, there are
> certainly practical concerns here.

With a hash length of N bits, there's not much use accepting passwords
longer than about N/4 or N/2 bytes. (It would be N/8 except that most
people don't invent passwords that use the entire available alphabet.
And of course, this ignores issues of encodings, but I'm pretty sure
all current crypto hashes work with bytes not characters anyway.) But
please, don't limit password lengths too much. Make your password
system XKCD 936 compliant:

http://xkcd.com/936/

Permit long passwords consisting of nothing but lowercase letters.
They really aren't as insecure as some people think!

ChrisA



More information about the Python-list mailing list