Opened 13 years ago
Last modified 9 years ago
#16860 closed New feature
Provide hooks for password policy — at Version 3
Reported by: | Paul McMillan | Owned by: | nobody |
---|---|---|---|
Component: | contrib.auth | Version: | dev |
Severity: | Normal | Keywords: | |
Cc: | cmawebsite@… | Triage Stage: | Accepted |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description (last modified by )
While it is possible to change the validation for new passwords by subclassing the form, I think that Django should provide a more friendly interface for this. We should have a pluggable password authentication framework which enforces no rules by default, but comes with several reasonable example policies which may be enabled.
Problems to be solved include:
- Informing the user of the various password requirements
- Allowing policies to chain together smoothly
- Provide flexibility for complex requirements (some may include their own models)
- Backwards compatibility
- Javascript validation assistance (someday, maybe?)
- HTML5 support (i.e. the pattern attribute)
- Prevent using email, username or other user attributes as (part of) passwords
- Prevent reuse of old passwords
Change History (3)
comment:1 by , 13 years ago
Description: | modified (diff) |
---|
comment:2 by , 10 years ago
Cc: | added |
---|
comment:3 by , 10 years ago
Description: | modified (diff) |
---|
I replaced two requirements that seem to be applicable to login pages (rate-limiting & lockout, captcha) with ones more applicable to password setting (use of user attributes, old password reuse).
mailing list discussion: https://groups.google.com/d/topic/django-developers/kec0UF_xc3k/discussion