On Aug 3, 2009, at 6:31 PM, mr.freeze wrote: > >> I mean: use it, but also use something like your hack (excuse the >> expression) for turning it off specifically for login requests, and >> leaving it enabled for everything else. > > No excuse necessary...It is a hack! I should have considered when > writing IS_STRONG. What do you think about a bypass=['login'] > parameter added to it?
Good idea. Anything to encourage best practices. > > On Aug 3, 8:08 pm, Jonathan Lundell <jlund...@pobox.com> wrote: >> On Aug 3, 2009, at 5:51 PM, mr.freeze wrote: >> >> >> >>>> Yes, I was going to point that out. But if you turn off IS_STRONG >>>> for >>>> login, then it doesn't matter, does it? >> >>> Correct. IS_STRONG is not a default validator for the password >>> field >>> (only CRYPT) so if you don't have complexity requirements, just >>> avoid >>> using it. >> >> I mean: use it, but also use something like your hack (excuse the >> expression) for turning it off specifically for login requests, and >> leaving it enabled for everything else. >> >> >> >> >> >>>> There's another reason to turn off IS_STRONG for logins, too: it >>>> leaks >>>> information to an attacker about the nature of the required >>>> password >>>> content, significantly pruning his dictionary. >> >>> Good point. >> >>> On Aug 3, 7:40 pm, Jonathan Lundell <jlund...@pobox.com> wrote: >>>> On Aug 3, 2009, at 5:33 PM, mr.freeze wrote: >> >>>>> Just a quick message to point out that if you use IS_STRONG, you >>>>> must >>>>> override Auth's random_password function to match its complexity >> >>>> Yes, I was going to point that out. But if you turn off IS_STRONG >>>> for >>>> login, then it doesn't matter, does it? >> >>>> There's another reason to turn off IS_STRONG for logins, too: it >>>> leaks >>>> information to an attacker about the nature of the required >>>> password >>>> content, significantly pruning his dictionary. >> >>>> I think that the IS_STRONG-login-bypass trick (or something like >>>> it) >>>> ought to be in the manual under the IS_STRONG entry. >> >>>>> or >>>>> users won't be able to login after resetting their password. >>>>> Here's >>>>> what I did in my model: >> >>>>> class MyAuth(Auth): >>>>> def random_password(self): >>>>> import string >>>>> import random >>>>> password = '' >>>>> specials=r'!...@#$*?' >>>>> for i in range(0,3): >>>>> password += random.choice(string.lowercase) >>>>> password += random.choice(string.uppercase) >>>>> password += random.choice(string.digits) >>>>> password += random.choice(specials) >>>>> return ''.join(random.sample(password,len(password))) >> >>>>> auth=MyAuth(globals(),db) >>> --~--~---------~--~----~-------- Hide quoted text - >> >> - Show quoted text - > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to web2py@googlegroups.com To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
