code review

kushal.kumaran+python at gmail.com kushal.kumaran+python at gmail.com
Tue Jul 3 22:57:32 EDT 2012 

Ian Kelly <ian.g.kelly at gmail.com> wrote:

>On Tue, Jul 3, 2012 at 11:53 AM, Kushal Kumaran
><kushal.kumaran+python at gmail.com> wrote:
>> On Sat, Jun 30, 2012 at 3:34 PM, Alister <alister.ware at ntlworld.com>
>wrote:
>>> On Fri, 29 Jun 2012 09:03:22 -0600, Littlefield, Tyler wrote:
>>>
>>>> On 6/29/2012 1:31 AM, Steven D'Aprano wrote:
>>>>> On Thu, 28 Jun 2012 20:58:15 -0700, alex23 wrote:
>>>>>
>>>>>> On Jun 29, 12:57 pm, "Littlefield, Tyler" <ty... at tysdomain.com>
>wrote:
>>>>>>> I was curious if someone wouldn't mind poking at some code. The
>>>>>>> project page is at:http://code.google.com/p/pymud Any
>information is
>>>>>>> greatly appreciated.
>>>>>> I couldn't find any actual code at that site, the git repository
>is
>>>>>> currently empty.
>>>>
>>>> OOPS, sorry. Apparently I'm not as good with git as I thought.
>>>> Everything's in the repo now.
>>>
>>> I think I may be on firmer grounds with the next few:
>>>
>>> isValidPassword can be simplified to
>>>
>>> def isValidPassword(password:
>>>         count=len(password)
>>>         return count>= mud.minpass and count<= mud.maxpass
>>>
>>
>> I haven't actually seen the rest of the code, but I would like to
>> point out that applications placing maximum length limits on
>passwords
>> are extremely annoying.
>
>They're annoying when the maximum length is unreasonably small, but
>you have to have a maximum length to close off one DoS attack vector.
>Without a limit, if a "user" presents a 1 GB password, then guess
>what?  Your system has to hash that GB of data before it can reject
>it.  And if you're serious about security then it will be a
>cryptographic hash, and that means slow.
>

Well, if you waited until you had the password (however long) in a variable before you applied your maximum limits, the DoS ship has probably sailed already. 

>To prevent that, the system needs to reject outright password attempts
>that are longer than some predetermined reasonable length, and if the
>system won't authenticate those passwords, then it can't allow the
>user to set them either.
>
>Cheers,
>Ian


-- 
regards,
kushal

More information about the Python-list mailing list