On Aug 21, 2011, at 8:17 PM, Massimo Di Pierro wrote: > Do you suggest reverting the patch?
It does break existing installations. The real fix is to enforce password-strength rules when passwords are being generated, but not when they're being checked. > > On Aug 21, 3:14 pm, Jonathan Lundell <jlund...@pobox.com> wrote: >> On Aug 21, 2011, at 11:20 AM, Anthony wrote: >> >> >> >> >> >> >> >> >> >>> On Sunday, August 21, 2011 1:56:00 PM UTC-4, Jonathan Lundell wrote: >>> On Aug 21, 2011, at 9:27 AM, Jonathan Lundell wrote: >>>> On Aug 21, 2011, at 8:33 AM, Jonathan Lundell wrote: >> >>>>> I do something like this. Your details might vary. >> >>>>> # invoke IS_STRONG only for password creation, not password checking >>>>> if "login" not in request.args: >>>>> auth.settings.table_user.password.requires.insert(0, IS_STRONG(min=8, >>>>> max=0, special=1)) >> >>>>> ...but I also define the entire auth table, so Massimo's method is >>>>> handier if you're using the default. >> >>>>> I think it'd be good if auth worked this way by default. There's no >>>>> reason to enforce IS_STRONG on login, and actually there's good reason >>>>> *not* to, since it enables an attacker to learn things about the actual >>>>> password. >> >>>> Actually, as I review the source, the only place I see IS_STRONG being >>>> invoked by default is in the admin app. So if you're adding IS_STRONG to >>>> your auth forms, just make it conditional as above. >> >>> ...and if that's right, perhaps we could put something like that (but with >>> a default IS_STRONG call?) into the scaffolding app, as an example. >> >>> Looks like the recent change in trunk was to CRYPT, not IS_STRONG. CRYPT >>> now checks for a minimum password length, which defaults to 4. If you're >>> already using IS_STRONG, then I suppose you could just set the min_length >>> argument of CRYPT to 1. >> >> Except that CRYPT is invoked inside Auth. >> >> 1) I don't see a good reason for enforcing password length in CRPYT, and 2) >> password length (or strength) should never be enforced while checking.
