Opened 8 years ago

Last modified 4 years ago

#16860 closed New feature

Provide hooks for password policy — at Version 3

Reported by: Paul McMillan Owned by: nobody
Component: contrib.auth Version: master
Severity: Normal Keywords:
Cc: cmawebsite@… Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Shai Berger)

While it is possible to change the validation for new passwords by subclassing the form, I think that Django should provide a more friendly interface for this. We should have a pluggable password authentication framework which enforces no rules by default, but comes with several reasonable example policies which may be enabled.

Problems to be solved include:

  • Informing the user of the various password requirements
  • Allowing policies to chain together smoothly
  • Provide flexibility for complex requirements (some may include their own models)
  • Backwards compatibility
  • Javascript validation assistance (someday, maybe?)
  • HTML5 support (i.e. the pattern attribute)
  • Prevent using email, username or other user attributes as (part of) passwords
  • Prevent reuse of old passwords

Change History (3)

comment:1 Changed 8 years ago by Paul McMillan

Description: modified (diff)

comment:2 Changed 5 years ago by Collin Anderson

Cc: cmawebsite@… added

comment:3 Changed 5 years ago by Shai Berger

Description: modified (diff)

I replaced two requirements that seem to be applicable to login pages (rate-limiting & lockout, captcha) with ones more applicable to password setting (use of user attributes, old password reuse).

Note: See TracTickets for help on using tickets.
Back to Top