Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#33758 closed Cleanup/optimization (wontfix)

make_random_password does not comply with AUTH_PASSWORD_VALIDATORS

Reported by: Javier Torres Owned by: Sosshi
Component: contrib.auth Version: 4.0
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

The usage of

User.objects.make_random_password()

is limited since the generated passwords are not valid because they were created without meeting the validators criteria.

Change History (9)

comment:1 by Sosshi, 2 years ago

Owner: changed from nobody to Sosshi
Status: newassigned

comment:2 by Carlton Gibson, 2 years ago

Hi. Erm... I'm not sure what to say here.

The usage of ... is limited ...

Yes, it is. make_random_password() is essentially not used at all in the Django codebase.

An 11 year old comment from Russell says why:

The only reason I can think of to generate a random password would be to send it in cleartext. To which, the answer is a definitive No. Not ever.

https://code.djangoproject.com/ticket/15639#comment:2

I think we should probably deprecate and remove this method, rather than try and make it more complex 🤔

Version 1, edited 2 years ago by Carlton Gibson (previous) (next) (diff)

comment:3 by Mariusz Felisiak, 2 years ago

Component: Uncategorizedcontrib.auth
Resolution: wontfix
Status: assignedclosed
Type: UncategorizedCleanup/optimization

I think we should probably deprecate and remove this method, rather than try and make it more complex 🤔

Totally agreed, it's unused since fcd837cd0f9b2c706bc49af509628778d442bb3f. See #33764.

comment:4 by David Wobrock, 2 years ago

Component: contrib.authUncategorized
Type: Cleanup/optimizationUncategorized

One could imagine use cases for this function. For example a website that automatically creates accounts and sends out the plain passwords (through email, or something more secure) for a first log in - but then forces password change on first use.

But I agree with Carlton (and Russell) that Django shouldn't "encourage" this, since the implementation then requires some special attention.
+1 for deprecating this function

comment:5 by David Wobrock, 2 years ago

Component: Uncategorizedcontrib.auth
Type: UncategorizedCleanup/optimization

Oopsie

comment:6 by Carlton Gibson, 2 years ago

Resolution: wontfix
Status: closednew
Summary: make_random_password does not comply with AUTH_PASSWORD_VALIDATORSDeprecate make_random_password() method.
Triage Stage: UnreviewedAccepted

OK — let's retitle and accept to deprecate then.

@Javier, would you fancy taking that on? (See Deprecating a feature for guidance but happy to advise too.)

Thanks all!

comment:7 by Carlton Gibson, 2 years ago

Release notes could point to the recipe in the Python stdlib `secrets` module docs — which would be the recommended way to do something in this space if you did have a use-case.

comment:8 by Mariusz Felisiak, 2 years ago

Resolution: wontfix
Status: newclosed
Summary: Deprecate make_random_password() method.make_random_password does not comply with AUTH_PASSWORD_VALIDATORS
Triage Stage: AcceptedUnreviewed

Carlton, I added a separate ticket for deprecation, see #33764.

in reply to:  2 comment:9 by Carlton Gibson, 2 years ago

Ah, thanks Mariusz.

Note: See TracTickets for help on using tickets.
Back to Top