commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Graham <>
Subject Re: [validator] Password fields [WAS] Re: cvs commit: jakarta-commons/validator/src/javascript/org/apache/commons/validator/javascript validateMaxLength.js validateMinLength.js
Date Thu, 09 Oct 2003 14:17:33 GMT

--- Robert Leland <> wrote:
> David Graham wrote:
> >My point is not that you shouldn't tell your users the rules; it's that
> >you shouldn't expose the validation algorithm to hackers.  The less
> they
> >know about the password system, the better.
> >
> >David
> >
> That's Microsofts method security by obsecurity. We all know how well 
> that works !
> I have been searching for articles saying that knowing
> minimum/maximum password lengths poses a security risk. I have not found
> such an article/blurb,
> either for or against. And it is impossible to not tell the user what 
> the min/max's are in a usable system.
> The only place where min/max lengths helps out a little, very little, is
> in programs like jack the ripper, and this
> occures once the password file has been copied off the machine to 
> another to be cracked.
> I also asked my co-worker who lives, and breathes cryptology  and runs 
> a  respected crypto news site,
> and he said it isn't an issue. The only comment he made is that there 
> should not be maximum limits.
> (he probably also would like a 15 digit zip code ;) )!
> I am trying to base decisions on facts, not FUD, and I see no references
> that would support a -1,
> I invite you to google for over an hour like I did.

That's not how a veto works.  We don't need a list of internet references
to support a -1.  I believe exposing any details about password validation
implementation is a security flaw, no matter how small.  Revealing min/max
lengths is a relatively minor issue but violates that general principle.

The implication that I support MS' security model or am trying to spread
FUD isn't fair.  I'm trying to do the right thing and ship Validator that
complies with the Apache way of doing things.  

If my reasons don't support a -1, so be it.  I don't have the time nor
energy to continue debating this.


> -Rob

Do you Yahoo!?
The New Yahoo! Shopping - with improved product search

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message