Do you suggest reverting the patch?
On Aug 21, 3:14 pm, Jonathan Lundell <jlund...@pobox.com> wrote: > On Aug 21, 2011, at 11:20 AM, Anthony wrote: > > > > > > > > > > > On Sunday, August 21, 2011 1:56:00 PM UTC-4, Jonathan Lundell wrote: > > On Aug 21, 2011, at 9:27 AM, Jonathan Lundell wrote: > > > On Aug 21, 2011, at 8:33 AM, Jonathan Lundell wrote: > > > >> I do something like this. Your details might vary. > > > >> # invoke IS_STRONG only for password creation, not password checking > > >> if "login" not in request.args: > > >> auth.settings.table_user.password.requires.insert(0, IS_STRONG(min=8, > > >> max=0, special=1)) > > > >> ...but I also define the entire auth table, so Massimo's method is > > >> handier if you're using the default. > > > >> I think it'd be good if auth worked this way by default. There's no > > >> reason to enforce IS_STRONG on login, and actually there's good reason > > >> *not* to, since it enables an attacker to learn things about the actual > > >> password. > > > > Actually, as I review the source, the only place I see IS_STRONG being > > > invoked by default is in the admin app. So if you're adding IS_STRONG to > > > your auth forms, just make it conditional as above. > > > ...and if that's right, perhaps we could put something like that (but with > > a default IS_STRONG call?) into the scaffolding app, as an example. > > > Looks like the recent change in trunk was to CRYPT, not IS_STRONG. CRYPT > > now checks for a minimum password length, which defaults to 4. If you're > > already using IS_STRONG, then I suppose you could just set the min_length > > argument of CRYPT to 1. > > Except that CRYPT is invoked inside Auth. > > 1) I don't see a good reason for enforcing password length in CRPYT, and 2) > password length (or strength) should never be enforced while checking.
