On Mon, Dec 20, 2010 at 7:26 AM, Adam Voss <vossa...@luther.edu> wrote: > I noticed in run_notebook.py that when the notebook is run with > reset=True, there is a check against min_password_length from > sagenb.misc.misc to make sure the password is long enough. If it is > shorter than the minimum, sage prints "That password is way too short. > Enter a password with at least 6 characters." > > However, min_password_length is 1. Thus, the check is only preventing > non-blank passwords. Is this the desired behavior? > > It seems inconsistent to me to prompt for a 6 character password when > we will accept any non-blank password. A 6-character password on an > administrative account does not seem unreasonable to me. IMHO for a > piece of software that effectively give shell access to a server, > applying a min_password_length of 6 (which really isn't that secure) > would be reasonable. Though if nothing is enforcing the length, it > doesn't seem right to me to tell users to enter one of at least a > certain length. > > I poked around the users.py and notebook.py and did some grep'ing and > didn't find anywhere else min_password_length is used. Changing > min_password_length to 6 would seem to only force the admin password > to be 6 characters, without affecting other users and passwords > already set. I haven't thoroughly looked into it yet, but to affect > all users would probably be quite a bit more complicated. The output > message for other users is probably desired in the webbrowser, rather > than the shell, and currently the webbrowser doesn't even give a > message when setting a blank password (silently fails) so I'm guessing > they is not a easy way to do this already in-place. > > Any thoughts?
1. It should be noted that most notebook servers are personal on-person servers, only listening on localhost, started up by the person using them right away. Anything that makes this usecase harder is a -1 in my book. (This change may or may not impact that much). 2. It's probably not easy to do in the current model, but there's a project to restructure the notebook at the Sage Days this January which would suggest that if it's not an easy fix (especially for the blank password crash), it's probably not worth putting a lot of effort into it now. - Robert -- To post to this group, send an email to sage-devel@googlegroups.com To unsubscribe from this group, send an email to sage-devel+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/sage-devel URL: http://www.sagemath.org
