You are right. check trunk, there is a solution.
On Aug 22, 12:03 am, Jonathan Lundell <jlund...@pobox.com> wrote: > On Aug 21, 2011, at 8:17 PM, Massimo Di Pierro wrote: > > > Do you suggest reverting the patch? > > It does break existing installations. > > The real fix is to enforce password-strength rules when passwords are being > generated, but not when they're being checked. > > > > > > > > > > > On Aug 21, 3:14 pm, Jonathan Lundell <jlund...@pobox.com> wrote: > >> On Aug 21, 2011, at 11:20 AM, Anthony wrote: > > >>> On Sunday, August 21, 2011 1:56:00 PM UTC-4, Jonathan Lundell wrote: > >>> On Aug 21, 2011, at 9:27 AM, Jonathan Lundell wrote: > >>>> On Aug 21, 2011, at 8:33 AM, Jonathan Lundell wrote: > > >>>>> I do something like this. Your details might vary. > > >>>>> # invoke IS_STRONG only for password creation, not password checking > >>>>> if "login" not in request.args: > >>>>> auth.settings.table_user.password.requires.insert(0, IS_STRONG(min=8, > >>>>> max=0, special=1)) > > >>>>> ...but I also define the entire auth table, so Massimo's method is > >>>>> handier if you're using the default. > > >>>>> I think it'd be good if auth worked this way by default. There's no > >>>>> reason to enforce IS_STRONG on login, and actually there's good reason > >>>>> *not* to, since it enables an attacker to learn things about the actual > >>>>> password. > > >>>> Actually, as I review the source, the only place I see IS_STRONG being > >>>> invoked by default is in the admin app. So if you're adding IS_STRONG to > >>>> your auth forms, just make it conditional as above. > > >>> ...and if that's right, perhaps we could put something like that (but > >>> with a default IS_STRONG call?) into the scaffolding app, as an example. > > >>> Looks like the recent change in trunk was to CRYPT, not IS_STRONG. CRYPT > >>> now checks for a minimum password length, which defaults to 4. If you're > >>> already using IS_STRONG, then I suppose you could just set the min_length > >>> argument of CRYPT to 1. > > >> Except that CRYPT is invoked inside Auth. > > >> 1) I don't see a good reason for enforcing password length in CRPYT, and > >> 2) password length (or strength) should never be enforced while checking.
