Changes between Initial Version and Version 1 of Ticket #36179
- Timestamp:
- Feb 9, 2025, 7:06:33 AM (2 days ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #36179 – Description
initial v1 1 1 Hello, 2 2 3 The common passwords database file (https://github.com/django/django/blob/main/django/contrib/auth/common-passwords.txt.gz) used by CommonPasswordValidator contains hexed strings like `$hex[617364666a6b6c3a]` on line 1679. That decodes to `asdfjkl:` which I believe is a common password that was intended to be included in the database. Another example is `$hex[2623323333363a]` on line 8616 that decodes to `ठ:`. I see that https://gist.github.com/roycewilliams/226886fd01572964e1431ac8afc999ce contains the line ` 4 50334:72aff1cfd90a90fd4174eb6dfdff5df7bbbe7e5b:$HEX[617364666a6b6c3a]` and `echo -n 'asdfjkl:' | sha1sum` produces `72aff1cfd90a90fd4174eb6dfdff5df7bbbe7e5b`. CommonPasswordValidator does not handle those hexed strings which I believe is wrong. 3 The common passwords database file (https://github.com/django/django/blob/main/django/contrib/auth/common-passwords.txt.gz) used by CommonPasswordValidator contains hexed strings like `$hex[617364666a6b6c3a]` on line 1679. That decodes to `asdfjkl:` which I believe is a common password that was intended to be included in the database. Another example is `$hex[2623323333363a]` on line 8616 that decodes to `ठ:`. I see that https://gist.github.com/roycewilliams/226886fd01572964e1431ac8afc999ce contains the line `50334:72aff1cfd90a90fd4174eb6dfdff5df7bbbe7e5b:$HEX[617364666a6b6c3a]` and `echo -n 'asdfjkl:' | sha1sum` produces `72aff1cfd90a90fd4174eb6dfdff5df7bbbe7e5b`. CommonPasswordValidator does not handle those hexed strings which I believe is wrong. 5 4 6 5 I propose to update the database file to decode the hexed values and remove those that obviously can't be entered by a user.