id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux 27467 UserAttributeSimilarityValidator max_similarity=0/1 doesn't work as documented goblinJoel nobody "While this has to do with configuring password validation, it doesn't strike me as a security vulnerability per se, so I'm posting in the standard bug tracker: The documentation for UserAttributeSimilarityValidator states, ""The maximum similarity the password can have, before it is rejected, can be set with the max_similarity parameter, on a scale of 0 to 1. A setting of 0 will cause all passwords to be rejected, '''whereas a setting of 1 will cause it to only reject passwords that are identical to an attribute’s value.'''"" However, if you set it to 1, it will never reject a password, even when identical to a user attribute (for example, email). The code checks whether the similarity is '''>''' the max_similarity, rather than '''>=''' as the documentation describes. The documentation should be updated to reflect this. I found this on Django 1.9.11 while testing that I'd installed password validators correctly: when I tried to change a test user's password (via the admin) to the same as their email, it allowed it. If I changed max_similarity to 1.0 instead of 1, I got the same behavior. If I changed it to 0.9, it rejected the email as password, as it should. The documentation for the version I'm using: https://docs.djangoproject.com/en/1.9/topics/auth/passwords/#django.contrib.auth.password_validation.UserAttributeSimilarityValidator The source code for the validator: https://docs.djangoproject.com/en/1.9/_modules/django/contrib/auth/password_validation/#UserAttributeSimilarityValidator I checked the docs and source code for 1.10 and dev, and they appear to have the same issue. I haven't submitted a bug here before, so I hope I've done everything correctly!" Bug closed contrib.auth 1.9 Normal fixed password management validation validator Sasha Romijn Accepted 1 0 0 0 0 0