On Feb 7, 2010, at 12:07 PM, mdipierro wrote: > remember that validators are filters. You need to check that a > password is strong BEFORE it is hashed. > So instead of this: > > auth.settings.table_user.password.requires += [IS_STRONG(min=8, max=0, > upper=1, lower=1, number=1, special=1)] > > Do this > > auth.settings.table_user.password.insert(0,IS_STRONG(min=8, max=0, > upper=1, lower=1, number=1, special=1)) > > Not sure this is your problem but try again after this fix.
Good point, thanks. But it wasn't my problem; the problem is that digest_alg defaults to md5, even in the presence of a key, which isn't what the manual says. I think that the best course of action might be to change the manual, since fixing the code now would break backward compatibility (I think). OTOH, if anyone is relying on the docs and expecting a sha512 hash, they're not getting one. The only reason I noticed the problem was that I was manually initializing the database with a sha512 hash, rather than relying on the form. > > On Feb 7, 1:44 pm, Jonathan Lundell <jlund...@pobox.com> wrote: >> I've got this (where the key is a text string): >> >> from gluon.tools import * >> auth=Auth(globals(),db) # authentication/authorization >> auth.settings.hmac_key = vpepm_hmac_key >> auth.define_tables() # creates all needed tables >> >> # invoke IS_STRONG only for password creation, not password checking >> if "login" not in request.args: >> auth.settings.table_user.password.requires += [IS_STRONG(min=8, max=0, >> upper=1, lower=1, number=1, special=1)] >> >> All my logins are failing with a bad password. I've got a sha512 hash in my >> user database (manually initialized), but the login form is returning an md5 >> hash, presumably because digest_alg is set to md5. The manual says, "If a >> key is specified it uses the HMAC+SHA512 with the provided key," but I don't >> see where digest_alg is ever set to sha512. >> >> Is there a bug, or am I doing something wrong? > > -- > You received this message because you are subscribed to the Google Groups > "web2py-users" group. > To post to this group, send email to web...@googlegroups.com. > To unsubscribe from this group, send email to > web2py+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/web2py?hl=en. > -- You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to web...@googlegroups.com. To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/web2py?hl=en.
