On 14 Aug 2012, at 9:33 AM, Anthony <abasta...@gmail.com> wrote: > It's maybe worth pointing out that these validators should be imposed only > when registering or changing a password, not during login. The problem with > having password validators on login is that they leak password constraints to > an attacker. (Of course, the registration form can be used to extract this > information as well, but still...) > > Looks like the code does remove the min_length constraint of CRYPT for login: > http://code.google.com/p/web2py/source/browse/gluon/tools.py#1829, but > doesn't do anything about IS_STRONG. Do you think we should change that? >
I think so, if we can do it safely there. --