--- "Craig R. McClanahan" <[EMAIL PROTECTED]> wrote: > Robert Leland wrote: > > > David Graham wrote: > > > >> The validation rules are only exposed if you use Struts' > >> <html:javascript> > >> > >> > > Not true they are exposed by server side validation also. The error > > messages clearly state the min/max > > values. > > But even that is only exposed if you use the validator framework's > minLength checks. If I didn't want to expose the fact that I cared > about such things, I'd use two different validation mechanisms: > > * On the login screen, I'd use nothing except (perhaps) a "required" > validation. > > * On the admin screen that lets me change my own password, I'd write a > custom validator > method + appropriate JavaScript -- or, more likely, implemented this > as a server side check > that approved a proposed password (minimum length, appropriate mixture > > of letters and > digits, not in a dictionary, ...) without exposing *anything* about > why a password might > get rejected. > > Of course, there's a usability issue here, too ... if you impose > particular rules for passwords in the code but don't tell your users > about what the rules are, you're bound to frustrate them when they try > to set their own passwords to a new value, but don't know why you're not > > allowing the proposed value. > > Anyone who objects to exposing a "minimum password length" rule to the > general public shoudn't be employing such a validation rule on their > login screens in the first place.
My point is not that you shouldn't tell your users the rules; it's that you shouldn't expose the validation algorithm to hackers. The less they know about the password system, the better. David > > > > >> > >> I'm still -1 on this last commit for the reasons stated. Please > revert > >> this change to not validate password fields in the javascript. > >> > >> > >> > > +1, will do it tomorrow. > > > Craig > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]