Opened 5 years ago
Closed 5 years ago
#30442 closed New feature (wontfix)
Add additional validators to auth/password_validation.py
| Reported by: | Brad | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.auth | Version: | dev |
| Severity: | Normal | Keywords: | validators, password |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | yes | Needs documentation: | yes |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
PR: https://github.com/django/django/pull/11319
Add the following validator classes:
NoAmbiguousCharactersValidator
Validate that the password does not contain ambiguous characters.
The default set of ambiguous characters is:
{ 0, 1, I, i, l, |, O, o }
NoRepeatSubstringsValidator
Validate that the password does not contain repeated substrings
longer than a given threshold.
NoSequentialCharsValidator
Validate that the password does not contain sequential repeated
characters.
ShannonEntropyValidator
Validate that the password is sufficiently complex via the
Shannon Entropy score.
Also add an all dunder to contrib/auth/password_validation.py
that contains both top-level module functions and the full set
of validator classes.
Also add respective tests for each of the 4 new classes in
auth_test/test_validators.py. Each, at a minimum, tests
.validate() and .get_help_text() in a manner similar to the
existing tests from that module.
Why add these classes?
These classes should be added in the spirit of _more validation is almost
always better._ These classes .validate() are meant to be
straightforward, quick, and lightweight. They offer checks that are
not captured by the existing validators.
One piece of food for thought is to more thoroughly document that
rules-based password validation can be a fool's errand depending on
how you structure it. These days, the consensus seems to be moving
towards the conclusion that users should no longer focus on passwords
to passphrases. The idea here is that *entropy is king*:
a 38-character all-lowercase password could have 170 bits of entropy
but fail a basic "mixed case letters" test. In other words, all of
the validators are best used in combination, and it should be
advertised everywhere possible that they provide _negative_ checks
in many cases rather than positive ones.
Change History (2)
comment:1 by , 5 years ago
| Needs documentation: | set |
|---|
comment:2 by , 5 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
| Version: | 2.2 → master |
Thanks for this patch, however I think it is a good candidate for a third-party package. Please write to the DevelopersMailingList if you want other opinions.
See related tickets #27568, #30100 and closing comments.