If you have a proposal for a change now is the time. web2py 2.0 approaching fast....
On Tuesday, 14 August 2012 11:48:41 UTC-5, Jonathan Lundell wrote: > > On 14 Aug 2012, at 9:33 AM, Anthony <abas...@gmail.com <javascript:>> > wrote: > > It's maybe worth pointing out that these validators should be imposed only >> when registering or changing a password, not during login. The problem with >> having password validators on login is that they leak password constraints >> to an attacker. (Of course, the registration form can be used to extract >> this information as well, but still...) >> > > Looks like the code does remove the min_length constraint of CRYPT for > login: http://code.google.com/p/web2py/source/browse/gluon/tools.py#1829, > but doesn't do anything about IS_STRONG. Do you think we should change that? > > > I think so, if we can do it safely there. > --