Password validation security issue

Ian Kelly ian.g.kelly at gmail.com
Mon Mar 3 07:50:35 CET 2014


On Sun, Mar 2, 2014 at 10:44 PM, Chris Angelico <rosuav at gmail.com> wrote:
> Of course, the whole concept depends on being able to use long
> memorable passwords. Any system that sets a maximum password length of
> anything less than about 30-40 characters is causing its users
> problems. There's almost never any reason to set a maximum at all.

Well, there's usually *some* reason.  If you allow your users to set a
100-MB password then your system has to accept and attempt to verify
any 100-MB passwords that might get passed in, which opens you up to a
certain DoS attack.  Setting the limit at 8 characters though is
absurd and a probable indication of bad password handling.



More information about the Python-list mailing list