«

On Wed, Jul 4, 2012 at 4:27 AM, Ian Kelly <> wrote:
> On Tue, Jul 3, 2012 at 12:18 PM, John Gordon <> wrote:
>> As a practical matter, doesn't there have to be *some* sort of limit?
>> For example if the (encrypted) password is stored in a database, you can't
>> exceed the table column width.
>
> Hopefully you're storing password hashes, not encrypted passwords
> (which can all too easily be DEcrypted), and the length of the hash is
> not dependent on the length of the password. But yes, there are
> certainly practical concerns here.

With a hash length of N bits, there's not much use accepting passwords
longer than about N/4 or N/2 bytes. (It would be N/8 except that most
people don't invent passwords that use the entire available alphabet.
And of course, this ignores issues of encodings, but I'm pretty sure
all current crypto hashes work with bytes not characters anyway.) But
please, don't limit password lengths too much. Make your password
system XKCD 936 compliant:

http://xkcd.com/936/

Permit long passwords consisting of nothing but lowercase letters.
They really aren't as insecure as some people think!

ChrisA

On Wed, Jul 4, 2012 at 6:13 AM, Dave Angel <> wrote:
> On 07/03/2012 12:05 PM, Mark Lawrence wrote:
>> If I go to the moon I will weigh 2st 10lb (if my sums are correct
>> but the equivalent Frenchman will still be 86kg. I hereby put this
>> forward as proof that the metric system is rubbish and we should
>> revert back to imperial goodies.
>>
>
> 86 kg is not a weight, it's a mass. So it doesn't depend on the local
> gravity situation.

Indeed it is, as he says. But I believe he may be right in that
'stone' is a unit of weight. Hard to be sure, though, given that it's
not an SI unit (for instance, the Wikipedia article text refers to
weight, but its picture shows a man measuring mass).

ChrisA

Ian Kelly <> wrote:

>On Tue, Jul 3, 2012 at 11:53 AM, Kushal Kumaran
><kushal.kumaran+> wrote:
>> On Sat, Jun 30, 2012 at 3:34 PM, Alister <>
>wrote:
>>> On Fri, 29 Jun 2012 09:03:22 -0600, Littlefield, Tyler wrote:
>>>
>>>> On 6/29/2012 1:31 AM, Steven D'Aprano wrote:
>>>>> On Thu, 28 Jun 2012 20:58:15 -0700, alex23 wrote:
>>>>>
>>>>>> On Jun 29, 12:57 pm, "Littlefield, Tyler" <ty...@tysdomain.com>
>wrote:
>>>>>>> I was curious if someone wouldn't mind poking at some code. The
>>>>>>> project page is at:http://code.google.com/p/pymud Any
>information is
>>>>>>> greatly appreciated.
>>>>>> I couldn't find any actual code at that site, the git repository
>is
>>>>>> currently empty.
>>>>
>>>> OOPS, sorry. Apparently I'm not as good with git as I thought.
>>>> Everything's in the repo now.
>>>
>>> I think I may be on firmer grounds with the next few:
>>>
>>> isValidPassword can be simplified to
>>>
>>> def isValidPassword(password:
>>> count=len(password)
>>> return count>= mud.minpass and count<= mud.maxpass
>>>
>>
>> I haven't actually seen the rest of the code, but I would like to
>> point out that applications placing maximum length limits on
>passwords
>> are extremely annoying.
>
>They're annoying when the maximum length is unreasonably small, but
>you have to have a maximum length to close off one DoS attack vector.
>Without a limit, if a "user" presents a 1 GB password, then guess
>what? Your system has to hash that GB of data before it can reject
>it. And if you're serious about security then it will be a
>cryptographic hash, and that means slow.
>

Well, if you waited until you had the password (however long) in a variable before you applied your maximum limits, the DoS ship has probably sailed already.

>To prevent that, the system needs to reject outright password attempts
>that are longer than some predetermined reasonable length, and if the
>system won't authenticate those passwords, then it can't allow the
>user to set them either.
>
>Cheers,
>Ian


--
regards,
kushal

On Wed, Jul 4, 2012 at 12:57 PM, <kushal.kumaran+> wrote:
> Well, if you waited until you had the password (however long) in a variable before you applied your maximum limits, the DoS ship has probably sailed already.

Only because data transfer is usually more expensive than hashing. But
I'd say that'll always be true.

ChrisA

On 04/07/12 13:53, Chris Angelico wrote:
> On Wed, Jul 4, 2012 at 12:57 PM, <kushal.kumaran+> wrote:
>> Well, if you waited until you had the password (however long) in a variable before you applied your maximum limits, the DoS ship has probably sailed already.
>
> Only because data transfer is usually more expensive than hashing. But
> I'd say that'll always be true.
>
> ChrisA
>

Some questions to Tyler Littlefield, who started this thread.

Q1 -- Did you get any constructive feedback on your code?

Q2 -- Did you feel that the process of submitting your code for review
met your expectation?

Q3 -- Would you recommend others doing this either on this forum or
other fora?

It appears to me - third party watching the ongoing dialog - that the
tread has gone right off topic (some time ago) and someone should really
start a new thread under a new title/subject. Most of what I have read
does not appear to be discussing your code or how you could improve your
code.

Following the last few posts, I was wondering whether some other
off-list dialog is going on or whether I am missing something.

--
Cheers Simon

On 7/3/2012 10:55 PM, Simon Cropper wrote:
> Some questions to Tyler Littlefield, who started this thread.
>
> Q1 -- Did you get any constructive feedback on your code?

I did get some, which I appreciated. someone mentioned using PyLint.
From reading, I found it was really really pedantic, so I used PyFlakes
instead.
>
> Q2 -- Did you feel that the process of submitting your code for review
> met your expectation?

There wasn't much more to review, so yes. The info I got was helpful and
farther than it was before I started.

> Q3 -- Would you recommend others doing this either on this forum or
> other fora?
>
> It appears to me - third party watching the ongoing dialog - that the
> tread has gone right off topic (some time ago) and someone should
> really start a new thread under a new title/subject. Most of what I
> have read does not appear to be discussing your code or how you could
> improve your code.
>
I basically just stopped after a while. It got into a my language is
better than your language, so I didn't see much constructive info. I've
started reading from the bottom though, where it looks like it's back,
and I do appreciate the rest of the info given, as well. Thanks again
for the feedback.

> Following the last few posts, I was wondering whether some other
> off-list dialog is going on or whether I am missing something.
>


--
Take care,
Ty
http://tds-solutions.net
The aspen project: a barebones light-weight mud engine:
http://code.google.com/p/aspenmud
He that will not reason is a bigot; he that cannot reason is a fool; he that dares not reason is a slave.

On Jul 4, 3:39*pm, "Littlefield, Tyler" <ty...@tysdomain.com> wrote:
> I basically just stopped after a while. It got into a my language is
> better than your language, so I didn't see much constructive info.

To be fair, it's more "my vision of the language is better than
yours" But yes, it should've been forked into a separate thread
ages okay.

It did get me wondering, though, if there's much in the way of support
for code review in repository sites like github? Being able to
aggregate comments around the actual code itself could be really
handy.

On Jul 4, 11:17*am, alex23 <wuwe...@gmail.com> wrote:
> On Jul 4, 3:39*pm, "Littlefield, Tyler" <ty...@tysdomain.com> wrote:
>
> > I basically just stopped after a while. It got into a my language is
> > better than your language, so I didn't see much constructive info.
>
> To be fair, it's more "my vision of the language is better than
> yours" But yes, it should've been forked into a separate thread
> ages okay.

A program is a product of a person's creativity as is a programming
language.
They have an analogous relation as say a sculpture to chisels.
This thread is a good example of how longwindedness of a discussion
correlates with its uselessness.
However the reverse error is more insidious: programs are made by
humans and should be critiqued, whereas programming languages (in
particular python) is sacrosanct and cannot be questioned.

Too often I find that responders on this list treat as personal
affront anyone who questions python whereas the most appropriate
response would be: Nice idea but too invasive for serious
consideration.

[I am saying this in general and not for this thread:Whats wrong with
a < b < c is quite beyond me!]

>
> It did get me wondering, though, if there's much in the way of support
> for code review in repository sites like github? Being able to
> aggregate comments around the actual code itself could be really
> handy.

On 03/07/2012 22:54, Chris Angelico wrote:
> On Wed, Jul 4, 2012 at 6:13 AM, Dave Angel <> wrote:
>> On 07/03/2012 12:05 PM, Mark Lawrence wrote:
>>> If I go to the moon I will weigh 2st 10lb (if my sums are correct
>>> but the equivalent Frenchman will still be 86kg. I hereby put this
>>> forward as proof that the metric system is rubbish and we should
>>> revert back to imperial goodies.
>>>
>>
>> 86 kg is not a weight, it's a mass. So it doesn't depend on the local
>> gravity situation.
>
> Indeed it is, as he says. But I believe he may be right in that
> 'stone' is a unit of weight. Hard to be sure, though, given that it's
> not an SI unit (for instance, the Wikipedia article text refers to
> weight, but its picture shows a man measuring mass).
>
> ChrisA
>

Stone is a unit of weight (Brits know important things like this). And
with the consistency that the English language is reknowned for the
plural is, yes you've guessed it, stone

--
Cheers.

Mark Lawrence.

Mark Lawrence <> writes:

> On 03/07/2012 03:25, John O'Hagan wrote:
>> On Tue, 3 Jul 2012 11:22:55 +1000
>>
>> I agree to some extent, but as a counter-example, when I was a child there
>> a subject called "Weights and Measures" which is now redundant because of the
>> Metric system. I don't miss hogsheads and fathoms at all.
>>
>> John
>>
>
> I weigh 13st 8lb - does this make me redundant?

It might mean that you have some redundant weight