Opened 2 days ago
Last modified 31 hours ago
#36179 new Bug
hexed strings in common passwords database are not handled — at Version 1
| Reported by: | Michel Le Bihan | Owned by: | |
|---|---|---|---|
| Component: | contrib.auth | Version: | 5.1 |
| Severity: | Normal | Keywords: | CommonPasswordValidator |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description (last modified by )
Hello,
The common passwords database file (https://github.com/django/django/blob/main/django/contrib/auth/common-passwords.txt.gz) used by CommonPasswordValidator contains hexed strings like $hex[617364666a6b6c3a] on line 1679. That decodes to asdfjkl: which I believe is a common password that was intended to be included in the database. Another example is $hex[2623323333363a] on line 8616 that decodes to ठ:. I see that https://gist.github.com/roycewilliams/226886fd01572964e1431ac8afc999ce contains the line 50334:72aff1cfd90a90fd4174eb6dfdff5df7bbbe7e5b:$HEX[617364666a6b6c3a] and echo -n 'asdfjkl:' | sha1sum produces 72aff1cfd90a90fd4174eb6dfdff5df7bbbe7e5b. CommonPasswordValidator does not handle those hexed strings which I believe is wrong.
I propose to update the database file to decode the hexed values and remove those that obviously can't be entered by a user.