> I mean: use it, but also use something like your hack (excuse the > expression) for turning it off specifically for login requests, and > leaving it enabled for everything else.
No excuse necessary...It is a hack! I should have considered when writing IS_STRONG. What do you think about a bypass=['login'] parameter added to it? On Aug 3, 8:08 pm, Jonathan Lundell <jlund...@pobox.com> wrote: > On Aug 3, 2009, at 5:51 PM, mr.freeze wrote: > > > > >> Yes, I was going to point that out. But if you turn off IS_STRONG for > >> login, then it doesn't matter, does it? > > > Correct. IS_STRONG is not a default validator for the password field > > (only CRYPT) so if you don't have complexity requirements, just avoid > > using it. > > I mean: use it, but also use something like your hack (excuse the > expression) for turning it off specifically for login requests, and > leaving it enabled for everything else. > > > > > > >> There's another reason to turn off IS_STRONG for logins, too: it > >> leaks > >> information to an attacker about the nature of the required password > >> content, significantly pruning his dictionary. > > > Good point. > > > On Aug 3, 7:40 pm, Jonathan Lundell <jlund...@pobox.com> wrote: > >> On Aug 3, 2009, at 5:33 PM, mr.freeze wrote: > > >>> Just a quick message to point out that if you use IS_STRONG, you > >>> must > >>> override Auth's random_password function to match its complexity > > >> Yes, I was going to point that out. But if you turn off IS_STRONG for > >> login, then it doesn't matter, does it? > > >> There's another reason to turn off IS_STRONG for logins, too: it > >> leaks > >> information to an attacker about the nature of the required password > >> content, significantly pruning his dictionary. > > >> I think that the IS_STRONG-login-bypass trick (or something like it) > >> ought to be in the manual under the IS_STRONG entry. > > >>> or > >>> users won't be able to login after resetting their password. Here's > >>> what I did in my model: > > >>> class MyAuth(Auth): > >>> def random_password(self): > >>> import string > >>> import random > >>> password = '' > >>> specials=r'!...@#$*?' > >>> for i in range(0,3): > >>> password += random.choice(string.lowercase) > >>> password += random.choice(string.uppercase) > >>> password += random.choice(string.digits) > >>> password += random.choice(specials) > >>> return ''.join(random.sample(password,len(password))) > > >>> auth=MyAuth(globals(),db) > > --~--~---------~--~----~-------- Hide quoted text - > > - Show quoted text - --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to web2py@googlegroups.com To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
