id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
31375	make_password shouldn't accept values other than bytes or string as an argument	iamdavidcz	Hasan Ramezani	"Currently `make_password` function accepts almost every Python object as an argument. This is a strange behaviour and it results directly from `force_bytes` casting objects to `str`. We should throw the `TypeError` when passing anything but `bytes` or `str` to `make_password`.

**Reasons:**

- programmers unaware of this strange behaviour can accidentally create weak passwords (potential security issue)
- other libraries raise the `TypeError` in the same cases (eg. Werkzeug, passlib)
- it's inconsistent with the documentation that says:
> It takes one mandatory argument: the password in plain-text.
- it's inconsistent with `validate_password` behaviour (passing anything but `bytes` or `str` to `validate_password` raises the `TypeError` with default `settings.AUTH_PASSWORD_VALIDATORS`).

**Discussion:**

https://groups.google.com/forum/#!topic/django-developers/1Ap0zDjFa4E"	Bug	closed	contrib.auth	3.0	Normal	fixed			Ready for checkin	1	0	0	0	0	0