id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
30442	Add additional validators to auth/password_validation.py	Brad	nobody	"PR: https://github.com/django/django/pull/11319

Add the following validator classes:

NoAmbiguousCharactersValidator

    Validate that the password does not contain ambiguous characters.
    The default set of ambiguous characters is:
    { 0, 1, I, i, l, |, O, o }

NoRepeatSubstringsValidator

    Validate that the password does not contain repeated substrings
    longer than a given threshold.

NoSequentialCharsValidator

    Validate that the password does not contain sequential repeated
    characters.

ShannonEntropyValidator

    Validate that the password is sufficiently complex via the
    Shannon Entropy score.

Also add an __all__ dunder to contrib/auth/password_validation.py
that contains both top-level module functions and the full set
of validator classes.

Also add respective tests for each of the 4 new classes in
auth_test/test_validators.py.  Each, at a minimum, tests
`.validate()` and `.get_help_text()` in a manner similar to the
existing tests from that module.

--------------------------------------

Why add these classes?

These classes should be added in the spirit of _more validation is almost
always better._  These classes `.validate()` are meant to be
straightforward, quick, and lightweight.  They offer checks that are
not captured by the existing validators.

One piece of food for thought is to more thoroughly document that
rules-based password validation can be a fool's errand depending on
how you structure it.  These days, the consensus seems to be moving
towards the conclusion that users should no longer focus on passwords
to passphrases.  The idea here is that *entropy is king*:
a 38-character all-lowercase password could have 170 bits of entropy
but fail a basic ""mixed case letters"" test.  In other words, all of
the validators are best used in combination, and it should be
advertised everywhere possible that they provide _negative_ checks
in many cases rather than positive ones."	New feature	closed	contrib.auth	dev	Normal	wontfix	validators, password		Unreviewed	1	1	0	0	0	0