On 14 Aug 2012, at 8:47 AM, Anthony <abasta...@gmail.com> wrote: > Note, you shouldn't need: > > db.auth_user.password.requires.insert(0,IS_LENGTH(minsize=8)) > > given that you specify min_length in the CRYPT validator. You might consider > the IS_STRONG validator as well.
It's maybe worth pointing out that these validators should be imposed only when registering or changing a password, not during login. The problem with having password validators on login is that they leak password constraints to an attacker. (Of course, the registration form can be used to extract this information as well, but still...) --
