Even though you tell the user the password rules they still shouldn't be able to see the details of how you're validating the password. I believe validator should ship with the secure best practices implemented by default and make the user enable/disable as they want.
David --- Niall Pemberton <[EMAIL PROTECTED]> wrote: > Even though the current javascript mask validator ignores password > fields > the validation algorithm is still revealed since (in Struts) the > javascript > to call that validator with the appropriate regexp is still generated. > > I also think that we shouldn't restrict what validation can be specified > since whats a "good idea" to do (or not do) depends on the situation: > > 1) For "logon forms" I agree as little information as possible should be > given and I would recommend that only two validation checks are made - > a) a > password must be entered (i.e. required) and b) the password entered > must > match that stored against the user. > > 2) For creating/changing a password its a different matter, since if > there > are rules such as minimum/maximum lengths or a particular regexp > validation > algorithm - then the user needs to be told what the rules are if they > enter > an invalid password and I don't see a problem with having javascript > validations for this. > > IMO we should remove any restrictions on password validations and just > provide some "best practice" advice. > > Niall > > ----- Original Message ----- > From: "David Graham" <[EMAIL PROTECTED]> > To: "Jakarta Commons Users List" <[email protected]> > Sent: Wednesday, January 12, 2005 8:56 PM > Subject: Re: [commons-validator] Problems with Javascript mask > validation..plz Help! > > > > Revealing detailed validation algorithms for passwords on the client > is a > > security issue so validator does not allow it by default. Also, you > > should be able to replace [a-zA-Z_0-9] with \w. > > > > David > > > > --- Matt Bathje <[EMAIL PROTECTED]> wrote: > > > > > Eric Giguere wrote: > > > > Hi all > > > > I have a problemes with the commons-validator 1.1.3 javascript > > > > implementation for validating masks. > > > > I tried to validate user name and password on a form. > > > > > > > > For testing purposes, I've set both fields with the same regexp in > the > > > > > > > validation.xml file: > > > > ^[a-zA-Z_0-9][a-zA-Z_0-9!^$&%]{5,14}$ > > > > The username get validated ok but not the password. It is > possible? Is > > > > > > > the fact that the control shows **** as data (password field) > breaks > > > the > > > > validation? > > > > > > > > > > > > > The javascript side of the mask validation only works on fields with > > > type hidden, text, textarea or file. > > > > > > > > > Matt > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: > [EMAIL PROTECTED] > > > > > > > > > > > > __________________________________________________ > > Do You Yahoo!? > > Tired of spam? Yahoo! Mail has the best spam protection around > > http://mail.yahoo.com > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > __________________________________ Do you Yahoo!? Meet the all-new My Yahoo! - Try it today! http://my.yahoo.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
