On Aug 3, 2009, at 5:51 PM, mr.freeze wrote: > >> Yes, I was going to point that out. But if you turn off IS_STRONG for >> login, then it doesn't matter, does it? > > Correct. IS_STRONG is not a default validator for the password field > (only CRYPT) so if you don't have complexity requirements, just avoid > using it.
I mean: use it, but also use something like your hack (excuse the expression) for turning it off specifically for login requests, and leaving it enabled for everything else. > >> There's another reason to turn off IS_STRONG for logins, too: it >> leaks >> information to an attacker about the nature of the required password >> content, significantly pruning his dictionary. > > Good point. > > On Aug 3, 7:40 pm, Jonathan Lundell <jlund...@pobox.com> wrote: >> On Aug 3, 2009, at 5:33 PM, mr.freeze wrote: >> >>> Just a quick message to point out that if you use IS_STRONG, you >>> must >>> override Auth's random_password function to match its complexity >> >> Yes, I was going to point that out. But if you turn off IS_STRONG for >> login, then it doesn't matter, does it? >> >> There's another reason to turn off IS_STRONG for logins, too: it >> leaks >> information to an attacker about the nature of the required password >> content, significantly pruning his dictionary. >> >> I think that the IS_STRONG-login-bypass trick (or something like it) >> ought to be in the manual under the IS_STRONG entry. >> >>> or >>> users won't be able to login after resetting their password. Here's >>> what I did in my model: >> >>> class MyAuth(Auth): >>> def random_password(self): >>> import string >>> import random >>> password = '' >>> specials=r'!...@#$*?' >>> for i in range(0,3): >>> password += random.choice(string.lowercase) >>> password += random.choice(string.uppercase) >>> password += random.choice(string.digits) >>> password += random.choice(specials) >>> return ''.join(random.sample(password,len(password))) >> >>> auth=MyAuth(globals(),db) > --~--~---------~--~----~------- --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to web2py@googlegroups.com To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
