id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
29952	All passwords in contrib/auth/common-passwords.txt.gz should be lowercased	Mathew Payne	Mathew Payne	"There is a bug with the ""CommonPasswordValidator"" where the password validation step is done using `password.lower()` to make sure that case sensitivity isn't an issue in passwords.
497 of the passwords stored in the Django provided file (`django/contrib/auth/common-passwords.txt.gz`) are stored containing uppercase characters which means that 497 of the passwords are not checked correctly when validating.

Here are some examples of passwords in the file:
- VQsaBLPzLa
- FQRG7CS493
- DIOSESFIEL
- 3rJs1la7qE
- ...

Here is a small test to prove that the the password validation is not working as it should:

''tests/auth_tests/test_validators.py''
{{{
class CommonPasswordValidatorTest(TestCase):
    def test_password_validation_issue(self):
        # using standard list
        validator = CommonPasswordValidator()
        # is the password in the list? Yes.
        self.assertIn('VQsaBLPzLa', validator.passwords)
        # check if the validation function throws an error. It doesn't
        with self.assertRaises(ValidationError) as cm:
            self.assertIsNone(validator.validate('VQsaBLPzLa'))
}}}

And I get this Unit test error:
{{{
======================================================================
FAIL: test_password_validation_issue (auth_tests.test_validators.CommonPasswordValidatorTest)
----------------------------------------------------------------------
Traceback (most recent call last):
  File ""/usr/lib/python3.6/unittest/case.py"", line 59, in testPartExecutor
    yield
  File ""/usr/lib/python3.6/unittest/case.py"", line 605, in run
    testMethod()
  File ""/user/geekmasher/django/tests/auth_tests/test_validators.py"", line 193, in test_password_validation_issue
    self.assertIsNone(validator.validate('VQsaBLPzLa'))
  File ""/usr/lib/python3.6/unittest/case.py"", line 203, in __exit__
    self._raiseFailure(""{} not raised"".format(exc_name))
  File ""/usr/lib/python3.6/unittest/case.py"", line 135, in _raiseFailure
    raise self.test_case.failureException(msg)
AssertionError: ValidationError not raised
}}}

**Recommendation:**

- All passwords in the Django supplied list should be lowered to match the validation phase.
    - Duplication's should be removed from the Django list, if any.
- If a user supplied path is given, the user can request to `auto_lower` the lists items on init to match the validation.
    - If it's lowered every time a user supplied path is provided (even if they are lowered already), the performance of the function could be significant slower.


I will be submitting a Pull Request shortly.
"	Bug	closed	contrib.auth	2.1	Release blocker	fixed	password,validation		Accepted	1	0	0	1	0	0