On 14 Aug 2012, at 9:19 AM, Rob_McC <mrmccorm...@gmail.com> wrote:
> >validators on login is that they leak password constraints to an attacker.
> (Of course, the registration form can be used to extract this information
> as well, but still...)
>
> - I think I understand, when you say "leak"--
> is it just a matter than anyone would see the message on the screen,
> ie. min 8 letters?
> or is there more of a technical security leak you are referring to.
Just that they would see it, telling them that they needn't try guessing
passwords less than 8 characters.
There's a cosmetic reason to suppress the validator as well, in that there's no
particular point in telling the user anything more than that they got their
login wrong.
It's trivial to implement: just make adding the validator(s) conditional on the
current request. Something like:
if request.args(0) != 'login':
add validators
will suffice.
--
