Comment 11 for bug 1175906
Revision history for this message
| Grant Murphy (gmurphy) wrote Re: passlib long password DoS | #11 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
As you can currently configure the number of rounds I think it makes sense to be able to configure the maximum password length rather than using a hard coded value. This will give the administrator better control over their environment.
TBH I don't like the truncating approach. To me it seems like you are trying to 'fix' invalid input and continue like nothing has happened. IMO Any password that exceed the maximum password length should be rejected as invalid input (as really that is what it is).