On Aug 21, 2011, at 8:33 AM, Jonathan Lundell wrote: > I do something like this. Your details might vary. > > # invoke IS_STRONG only for password creation, not password checking > if "login" not in request.args: > auth.settings.table_user.password.requires.insert(0, IS_STRONG(min=8, > max=0, special=1)) > > ...but I also define the entire auth table, so Massimo's method is handier if > you're using the default. > > I think it'd be good if auth worked this way by default. There's no reason to > enforce IS_STRONG on login, and actually there's good reason *not* to, since > it enables an attacker to learn things about the actual password.
Actually, as I review the source, the only place I see IS_STRONG being invoked by default is in the admin app. So if you're adding IS_STRONG to your auth forms, just make it conditional as above.
