Opened 13 years ago

Closed 9 years ago

Last modified 8 years ago

#16860 closed New feature (fixed)

Provide hooks for password policy

Reported by: Paul McMillan Owned by: Sasha Romijn
Component: contrib.auth Version: dev
Severity: Normal Keywords:
Cc: cmawebsite@… Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Shai Berger)

While it is possible to change the validation for new passwords by subclassing the form, I think that Django should provide a more friendly interface for this. We should have a pluggable password authentication framework which enforces no rules by default, but comes with several reasonable example policies which may be enabled.

Problems to be solved include:

  • Informing the user of the various password requirements
  • Allowing policies to chain together smoothly
  • Provide flexibility for complex requirements (some may include their own models)
  • Backwards compatibility
  • Javascript validation assistance (someday, maybe?)
  • HTML5 support (i.e. the pattern attribute)
  • Prevent using email, username or other user attributes as (part of) passwords
  • Prevent reuse of old passwords

Change History (14)

comment:1 by Paul McMillan, 12 years ago

Description: modified (diff)

comment:2 by Collin Anderson, 10 years ago

Cc: cmawebsite@… added

comment:3 by Shai Berger, 10 years ago

Description: modified (diff)

I replaced two requirements that seem to be applicable to login pages (rate-limiting & lockout, captcha) with ones more applicable to password setting (use of user attributes, old password reuse).

comment:4 by Sasha Romijn, 9 years ago

Owner: changed from nobody to Sasha Romijn
Status: newassigned
Version: 1.3master

I've submitted a PR with a demo of a fresh approach on https://github.com/django/django/pull/4276
The PR is not meant to be mergable.

New mailing list discussion on: https://groups.google.com/forum/#!topic/django-developers/9GBhgGXmEKs

comment:5 by Sasha Romijn, 9 years ago

Has patch: set

comment:6 by Tim Graham, 9 years ago

Patch needs improvement: set

comment:7 by Sasha Romijn, 9 years ago

Patch needs improvement: unset

I've updated the PR for the many (good) comments and I believe it's now ready for merge, after a rebase. Could someone do a final review?

I've spoken to Aymeric about integrating this with the User model instead of adding a setting, but we concluded that this design is not a substantial improvement and does introduce a more complex coupling that is currently not needed. Therefore, we stuck to the basic idea of using a setting for configuration.

comment:8 by Erik Romijn <eromijn@…>, 9 years ago

Resolution: fixed
Status: assignedclosed

In 1daae25:

Fixed #16860 -- Added password validation to django.contrib.auth.

comment:9 by Tim Graham <timograham@…>, 9 years ago

In 55b3bd8:

Refs #16860 -- Minor edits and fixes to password validation.

comment:10 by Tim Graham <timograham@…>, 9 years ago

In 09f2cdb:

Refs #16860 -- Fixed a resource and deprecation warning in password validation.

comment:11 by Tim Graham <timograham@…>, 9 years ago

In f5e9d67:

Refs #16860 -- Moved password_changed() logic to AbstractBaseUser.

Thanks Carl Meyer for review.

comment:12 by Tim Graham <timograham@…>, 9 years ago

In 774c16d1:

Fixed #25052; refs #16860 -- Added password validation to UserCreationForm.

comment:13 by Tim Graham <timograham@…>, 8 years ago

In 53ccffd:

Refs #16860 -- Fixed password help text when there aren't any validators.

This avoids creating an empty list which is invalid HTML 4.

comment:14 by Tim Graham <timograham@…>, 8 years ago

In db88e40:

[1.9.x] Refs #16860 -- Fixed password help text when there aren't any validators.

This avoids creating an empty list which is invalid HTML 4.

Backport of 53ccffdb8c8e47a4d4304df453d8c79a9be295ab from master

Note: See TracTickets for help on using tickets.
Back to Top