code review

kushal.kumaran+python at kushal.kumaran+python at
Wed Jul 4 04:57:32 CEST 2012

Ian Kelly <ian.g.kelly at> wrote:

>On Tue, Jul 3, 2012 at 11:53 AM, Kushal Kumaran
><kushal.kumaran+python at> wrote:
>> On Sat, Jun 30, 2012 at 3:34 PM, Alister <alister.ware at>
>>> On Fri, 29 Jun 2012 09:03:22 -0600, Littlefield, Tyler wrote:
>>>> On 6/29/2012 1:31 AM, Steven D'Aprano wrote:
>>>>> On Thu, 28 Jun 2012 20:58:15 -0700, alex23 wrote:
>>>>>> On Jun 29, 12:57 pm, "Littlefield, Tyler" <ty... at>
>>>>>>> I was curious if someone wouldn't mind poking at some code. The
>>>>>>> project page is at: Any
>information is
>>>>>>> greatly appreciated.
>>>>>> I couldn't find any actual code at that site, the git repository
>>>>>> currently empty.
>>>> OOPS, sorry. Apparently I'm not as good with git as I thought.
>>>> Everything's in the repo now.
>>> I think I may be on firmer grounds with the next few:
>>> isValidPassword can be simplified to
>>> def isValidPassword(password:
>>>         count=len(password)
>>>         return count>= mud.minpass and count<= mud.maxpass
>> I haven't actually seen the rest of the code, but I would like to
>> point out that applications placing maximum length limits on
>> are extremely annoying.
>They're annoying when the maximum length is unreasonably small, but
>you have to have a maximum length to close off one DoS attack vector.
>Without a limit, if a "user" presents a 1 GB password, then guess
>what?  Your system has to hash that GB of data before it can reject
>it.  And if you're serious about security then it will be a
>cryptographic hash, and that means slow.

Well, if you waited until you had the password (however long) in a variable before you applied your maximum limits, the DoS ship has probably sailed already. 

>To prevent that, the system needs to reject outright password attempts
>that are longer than some predetermined reasonable length, and if the
>system won't authenticate those passwords, then it can't allow the
>user to set them either.


More information about the Python-list mailing list