#16860 closed New feature (fixed)
Provide hooks for password policy
| Reported by: | Paul McMillan | Owned by: | Sasha Romijn |
|---|---|---|---|
| Component: | contrib.auth | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | cmawebsite@… | Triage Stage: | Accepted |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description (last modified by )
While it is possible to change the validation for new passwords by subclassing the form, I think that Django should provide a more friendly interface for this. We should have a pluggable password authentication framework which enforces no rules by default, but comes with several reasonable example policies which may be enabled.
Problems to be solved include:
- Informing the user of the various password requirements
- Allowing policies to chain together smoothly
- Provide flexibility for complex requirements (some may include their own models)
- Backwards compatibility
- Javascript validation assistance (someday, maybe?)
- HTML5 support (i.e. the pattern attribute)
- Prevent using email, username or other user attributes as (part of) passwords
- Prevent reuse of old passwords
Change History (14)
comment:1 by , 13 years ago
| Description: | modified (diff) |
|---|
comment:2 by , 10 years ago
| Cc: | added |
|---|
comment:3 by , 10 years ago
| Description: | modified (diff) |
|---|
I replaced two requirements that seem to be applicable to login pages (rate-limiting & lockout, captcha) with ones more applicable to password setting (use of user attributes, old password reuse).
comment:4 by , 10 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
| Version: | 1.3 → master |
I've submitted a PR with a demo of a fresh approach on https://github.com/django/django/pull/4276
The PR is not meant to be mergable.
New mailing list discussion on: https://groups.google.com/forum/#!topic/django-developers/9GBhgGXmEKs
comment:5 by , 10 years ago
| Has patch: | set |
|---|
comment:6 by , 10 years ago
| Patch needs improvement: | set |
|---|
comment:7 by , 9 years ago
| Patch needs improvement: | unset |
|---|
I've updated the PR for the many (good) comments and I believe it's now ready for merge, after a rebase. Could someone do a final review?
I've spoken to Aymeric about integrating this with the User model instead of adding a setting, but we concluded that this design is not a substantial improvement and does introduce a more complex coupling that is currently not needed. Therefore, we stuck to the basic idea of using a setting for configuration.
mailing list discussion: https://groups.google.com/d/topic/django-developers/kec0UF_xc3k/discussion