FYI, it appears this is now requiring at least a 4 character password for 'admin' (fine for production, but possibly annoying on local machine). Also, note that if you enter a password shorter than 4 characters for 'admin', you get no error feedback -- instead, when you later attempt to access 'admin', you get the 'admin disabled because no admin password' message, which is confusing. Anthony
On Monday, August 22, 2011 1:03:10 AM UTC-4, Jonathan Lundell wrote: > On Aug 21, 2011, at 8:17 PM, Massimo Di Pierro wrote: > > > Do you suggest reverting the patch? > > It does break existing installations. > > The real fix is to enforce password-strength rules when passwords are being > generated, but not when they're being checked. > > > > > On Aug 21, 3:14 pm, Jonathan Lundell <jlun...@pobox.com> wrote: > >> On Aug 21, 2011, at 11:20 AM, Anthony wrote: > >> > >> > >> > >> > >> > >> > >> > >> > >> > >>> On Sunday, August 21, 2011 1:56:00 PM UTC-4, Jonathan Lundell wrote: > >>> On Aug 21, 2011, at 9:27 AM, Jonathan Lundell wrote: > >>>> On Aug 21, 2011, at 8:33 AM, Jonathan Lundell wrote: > >> > >>>>> I do something like this. Your details might vary. > >> > >>>>> # invoke IS_STRONG only for password creation, not password checking > >>>>> if "login" not in request.args: > >>>>> auth.settings.table_user.password.requires.insert(0, > IS_STRONG(min=8, max=0, special=1)) > >> > >>>>> ...but I also define the entire auth table, so Massimo's method is > handier if you're using the default. > >> > >>>>> I think it'd be good if auth worked this way by default. There's no > reason to enforce IS_STRONG on login, and actually there's good reason *not* > to, since it enables an attacker to learn things about the actual password. > >> > >>>> Actually, as I review the source, the only place I see IS_STRONG being > invoked by default is in the admin app. So if you're adding IS_STRONG to > your auth forms, just make it conditional as above. > >> > >>> ...and if that's right, perhaps we could put something like that (but > with a default IS_STRONG call?) into the scaffolding app, as an example. > >> > >>> Looks like the recent change in trunk was to CRYPT, not IS_STRONG. > CRYPT now checks for a minimum password length, which defaults to 4. If > you're already using IS_STRONG, then I suppose you could just set the > min_length argument of CRYPT to 1. > >> > >> Except that CRYPT is invoked inside Auth. > >> > >> 1) I don't see a good reason for enforcing password length in CRPYT, and > 2) password length (or strength) should never be enforced while checking. > > >
