> > It's maybe worth pointing out that these validators should be imposed only > when registering or changing a password, not during login. The problem with > having password validators on login is that they leak password constraints > to an attacker. (Of course, the registration form can be used to extract > this information as well, but still...) >
Looks like the code does remove the min_length constraint of CRYPT for login: http://code.google.com/p/web2py/source/browse/gluon/tools.py#1829, but doesn't do anything about IS_STRONG. Do you think we should change that? Anthony --
