Anthony's correct- this is in Auth, but is not being respected: settings.password_min_length = 4
Massimo - "For security reason it will not be accepted for logging anyway." - Not sure what you meant but it registered me and logged me in with an empty pass. I also tried inserting: db.auth_user.password.requires.insert(0,IS_LENGTH(minsize=5)) in db.py and it hasn't fixed it. Bug report? . On Saturday, August 11, 2012 4:43:43 PM UTC-4, Anthony wrote: > > According to the code: > > settings.password_min_length = 4 > > and > > table[passfield].requires = [ > CRYPT(key=settings.hmac_key, min_length=settings.password_min_length)] > > So, isn't the minimum password length 4 by default? > > Anthony > > On Saturday, August 11, 2012 3:21:06 PM UTC-4, Massimo Di Pierro wrote: >> >> This was discussed once I people said there should be no default minimum >> length for password. So technically a zero length password can be inserted. >> For security reason it will not be accepted for logging anyway. >> >> db.auth_user.password.requires.insert(0,IS_LENGTH(minsize=5)) >> >> On Saturday, 11 August 2012 10:26:37 UTC-5, Yarin wrote: >>> >>> The default login form does not require a password to be entered when >>> registering. Is this intentional? Seems a funny default. >>> >>> I can't figure out how to require a password. >>> >>> I added >>> db.auth_user.password.requires = IS_NOT_EMPTY(error_message=auth. >>> messages.is_empty) >>> >>> and added >>> required=True >>> >>> to the db password field definition, but it still lets me register >>> without any password... >>> >> On Saturday, August 11, 2012 4:43:43 PM UTC-4, Anthony wrote: > > According to the code: > > settings.password_min_length = 4 > > and > > table[passfield].requires = [ > CRYPT(key=settings.hmac_key, min_length=settings.password_min_length)] > > So, isn't the minimum password length 4 by default? > > Anthony > > On Saturday, August 11, 2012 3:21:06 PM UTC-4, Massimo Di Pierro wrote: >> >> This was discussed once I people said there should be no default minimum >> length for password. So technically a zero length password can be inserted. >> For security reason it will not be accepted for logging anyway. >> >> db.auth_user.password.requires.insert(0,IS_LENGTH(minsize=5)) >> >> On Saturday, 11 August 2012 10:26:37 UTC-5, Yarin wrote: >>> >>> The default login form does not require a password to be entered when >>> registering. Is this intentional? Seems a funny default. >>> >>> I can't figure out how to require a password. >>> >>> I added >>> db.auth_user.password.requires = IS_NOT_EMPTY(error_message=auth. >>> messages.is_empty) >>> >>> and added >>> required=True >>> >>> to the db password field definition, but it still lets me register >>> without any password... >>> >> --
