On Aug 21, 2011, at 11:20 AM, Anthony wrote: > On Sunday, August 21, 2011 1:56:00 PM UTC-4, Jonathan Lundell wrote: > On Aug 21, 2011, at 9:27 AM, Jonathan Lundell wrote: > > On Aug 21, 2011, at 8:33 AM, Jonathan Lundell wrote: > > > >> I do something like this. Your details might vary. > >> > >> # invoke IS_STRONG only for password creation, not password checking > >> if "login" not in request.args: > >> auth.settings.table_user.password.requires.insert(0, IS_STRONG(min=8, > >> max=0, special=1)) > >> > >> ...but I also define the entire auth table, so Massimo's method is handier > >> if you're using the default. > >> > >> I think it'd be good if auth worked this way by default. There's no reason > >> to enforce IS_STRONG on login, and actually there's good reason *not* to, > >> since it enables an attacker to learn things about the actual password. > > > > Actually, as I review the source, the only place I see IS_STRONG being > > invoked by default is in the admin app. So if you're adding IS_STRONG to > > your auth forms, just make it conditional as above. > > ...and if that's right, perhaps we could put something like that (but with a > default IS_STRONG call?) into the scaffolding app, as an example. > > Looks like the recent change in trunk was to CRYPT, not IS_STRONG. CRYPT now > checks for a minimum password length, which defaults to 4. If you're already > using IS_STRONG, then I suppose you could just set the min_length argument of > CRYPT to 1. >
Except that CRYPT is invoked inside Auth. 1) I don't see a good reason for enforcing password length in CRPYT, and 2) password length (or strength) should never be enforced while checking.
