Opened 13 years ago
Last modified 9 years ago
#16860 closed New feature
Provide hooks for password policy — at Version 3
| Reported by: | Paul McMillan | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.auth | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | cmawebsite@… | Triage Stage: | Accepted |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description (last modified by )
While it is possible to change the validation for new passwords by subclassing the form, I think that Django should provide a more friendly interface for this. We should have a pluggable password authentication framework which enforces no rules by default, but comes with several reasonable example policies which may be enabled.
Problems to be solved include:
- Informing the user of the various password requirements
- Allowing policies to chain together smoothly
- Provide flexibility for complex requirements (some may include their own models)
- Backwards compatibility
- Javascript validation assistance (someday, maybe?)
- HTML5 support (i.e. the pattern attribute)
- Prevent using email, username or other user attributes as (part of) passwords
- Prevent reuse of old passwords
Change History (3)
comment:1 by , 13 years ago
| Description: | modified (diff) |
|---|
comment:2 by , 10 years ago
| Cc: | added |
|---|
comment:3 by , 10 years ago
| Description: | modified (diff) |
|---|
I replaced two requirements that seem to be applicable to login pages (rate-limiting & lockout, captcha) with ones more applicable to password setting (use of user attributes, old password reuse).
Note:
See TracTickets
for help on using tickets.
mailing list discussion: https://groups.google.com/d/topic/django-developers/kec0UF_xc3k/discussion