On Aug 21, 2011, at 9:27 AM, Jonathan Lundell wrote: > On Aug 21, 2011, at 8:33 AM, Jonathan Lundell wrote: > >> I do something like this. Your details might vary. >> >> # invoke IS_STRONG only for password creation, not password checking >> if "login" not in request.args: >> auth.settings.table_user.password.requires.insert(0, IS_STRONG(min=8, >> max=0, special=1)) >> >> ...but I also define the entire auth table, so Massimo's method is handier >> if you're using the default. >> >> I think it'd be good if auth worked this way by default. There's no reason >> to enforce IS_STRONG on login, and actually there's good reason *not* to, >> since it enables an attacker to learn things about the actual password. > > Actually, as I review the source, the only place I see IS_STRONG being > invoked by default is in the admin app. So if you're adding IS_STRONG to your > auth forms, just make it conditional as above.
...and if that's right, perhaps we could put something like that (but with a default IS_STRONG call?) into the scaffolding app, as an example.