> Yes, I was going to point that out. But if you turn off IS_STRONG for > login, then it doesn't matter, does it?
Correct. IS_STRONG is not a default validator for the password field (only CRYPT) so if you don't have complexity requirements, just avoid using it. > There's another reason to turn off IS_STRONG for logins, too: it leaks > information to an attacker about the nature of the required password > content, significantly pruning his dictionary. Good point. On Aug 3, 7:40 pm, Jonathan Lundell <jlund...@pobox.com> wrote: > On Aug 3, 2009, at 5:33 PM, mr.freeze wrote: > > > Just a quick message to point out that if you use IS_STRONG, you must > > override Auth's random_password function to match its complexity > > Yes, I was going to point that out. But if you turn off IS_STRONG for > login, then it doesn't matter, does it? > > There's another reason to turn off IS_STRONG for logins, too: it leaks > information to an attacker about the nature of the required password > content, significantly pruning his dictionary. > > I think that the IS_STRONG-login-bypass trick (or something like it) > ought to be in the manual under the IS_STRONG entry. > > > or > > users won't be able to login after resetting their password. Here's > > what I did in my model: > > > class MyAuth(Auth): > > def random_password(self): > > import string > > import random > > password = '' > > specials=r'!...@#$*?' > > for i in range(0,3): > > password += random.choice(string.lowercase) > > password += random.choice(string.uppercase) > > password += random.choice(string.digits) > > password += random.choice(specials) > > return ''.join(random.sample(password,len(password))) > > > auth=MyAuth(globals(),db) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to web2py@googlegroups.com To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
