On Sunday, August 21, 2011 1:56:00 PM UTC-4, Jonathan Lundell wrote:
>
> On Aug 21, 2011, at 9:27 AM, Jonathan Lundell wrote:
>
> > On Aug 21, 2011, at 8:33 AM, Jonathan Lundell wrote:
> >
> >> I do something like this. Your details might vary.
> >>
> >> # invoke IS_STRONG only for password creation, not password checking
> >> if "login" not in request.args:
> >> auth.settings.table_user.password.requires.insert(0, IS_STRONG(min=8,
> max=0, special=1))
> >>
> >> ...but I also define the entire auth table, so Massimo's method is
> handier if you're using the default.
> >>
> >> I think it'd be good if auth worked this way by default. There's no
> reason to enforce IS_STRONG on login, and actually there's good reason *not*
> to, since it enables an attacker to learn things about the actual password.
> >
> > Actually, as I review the source, the only place I see IS_STRONG being
> invoked by default is in the admin app. So if you're adding IS_STRONG to
> your auth forms, just make it conditional as above.
>
> ...and if that's right, perhaps we could put something like that (but with
> a default IS_STRONG call?) into the scaffolding app, as an example.
>
Looks like the recent change in trunk was to CRYPT, not IS_STRONG. CRYPT now
checks for a minimum password length, which defaults to 4. If you're already
using IS_STRONG, then I suppose you could just set the min_length argument
of CRYPT to 1.
Anthony
