[Zope-CMF] Password strength

Tres Seaver tseaver@zope.com
15 Apr 2003 12:49:00 -0400


On Tue, 2003-04-15 at 11:01, Tres Seaver wrote:
> On Tue, 2003-04-15 at 05:22, Andrew Veitch wrote:
> > I'm about to make some changes to the CMF for a client to allow control of
> > password strength.
> > 
> > I was going to add a couple of attributes to site_properties,
> > min_password_length and no_dictionary_passwords
> > 
> > I think all I need to do is some work on testPasswordValidity in the
> > RegistrationTool.
> > 
> > Does this approach seem sensible and would there by any interest in me
> > contributing this code when it's done?
> 
> I think it is a reasonable extension.  Here is how I would like to
> package it:
> 
>   - Add a "Policies" tab to the 'portal_registration' tool.  This
>     tab can just be the 'manage_propertiesForm' for the tool.
> 
>   - Add an '_properties' map to the tool, with non-deletable properties
>     which support your logic.
> 
>   - Have the 'testPasswordValidity' method use those property values.
> 
> Note that I put the properties on the registration tool, rather than in
> the "generic" site properties, for "separation of concerns" reasons.
> 
> We might add another string property, 'custom_validator_expression',
> which was a TALES expression indicating a custom script / regex /
> whatever to test the candidate password;  it would be used in place of
> the "default" logic, if present.

BTW, I just checked in my initial pass at this on a branch,
'tseaver-reg_properties-branch', made from the HEAD of CVS.  At present,
it exposes the three properties we are discussing, but only enforces
length (replacing the hard-wired '5' with the property value).

Tres.
-- 
===============================================================
Tres Seaver                                tseaver@zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com