On Aug 3, 2009, at 5:33 PM, mr.freeze wrote: > Just a quick message to point out that if you use IS_STRONG, you must > override Auth's random_password function to match its complexity
Yes, I was going to point that out. But if you turn off IS_STRONG for login, then it doesn't matter, does it? There's another reason to turn off IS_STRONG for logins, too: it leaks information to an attacker about the nature of the required password content, significantly pruning his dictionary. I think that the IS_STRONG-login-bypass trick (or something like it) ought to be in the manual under the IS_STRONG entry. > or > users won't be able to login after resetting their password. Here's > what I did in my model: > > class MyAuth(Auth): > def random_password(self): > import string > import random > password = '' > specials=r'!...@#$*?' > for i in range(0,3): > password += random.choice(string.lowercase) > password += random.choice(string.uppercase) > password += random.choice(string.digits) > password += random.choice(specials) > return ''.join(random.sample(password,len(password))) > > auth=MyAuth(globals(),db) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to web2py@googlegroups.com To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
