Password validation security issue
Ian Kelly
ian.g.kelly at gmail.com
Mon Mar 3 01:50:35 EST 2014
On Sun, Mar 2, 2014 at 10:44 PM, Chris Angelico <rosuav at gmail.com> wrote:
> Of course, the whole concept depends on being able to use long
> memorable passwords. Any system that sets a maximum password length of
> anything less than about 30-40 characters is causing its users
> problems. There's almost never any reason to set a maximum at all.
Well, there's usually *some* reason. If you allow your users to set a
100-MB password then your system has to accept and attempt to verify
any 100-MB passwords that might get passed in, which opens you up to a
certain DoS attack. Setting the limit at 8 characters though is
absurd and a probable indication of bad password handling.
More information about the Python-list
mailing list