#33758 closed Cleanup/optimization (wontfix)
make_random_password does not comply with AUTH_PASSWORD_VALIDATORS
Reported by: | Javier Torres | Owned by: | Sosshi |
---|---|---|---|
Component: | contrib.auth | Version: | 4.0 |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
The usage of
User.objects.make_random_password()
is limited since the generated passwords are not valid because they were created without meeting the validators criteria.
Change History (9)
comment:1 by , 2 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:3 by , 2 years ago
Component: | Uncategorized → contrib.auth |
---|---|
Resolution: | → wontfix |
Status: | assigned → closed |
Type: | Uncategorized → Cleanup/optimization |
I think we should probably deprecate and remove this method, rather than try and make it more complex 🤔
Totally agreed, it's unused since fcd837cd0f9b2c706bc49af509628778d442bb3f. See #33764.
comment:4 by , 2 years ago
Component: | contrib.auth → Uncategorized |
---|---|
Type: | Cleanup/optimization → Uncategorized |
One could imagine use cases for this function. For example a website that automatically creates accounts and sends out the plain passwords (through email, or something more secure) for a first log in - but then forces password change on first use.
But I agree with Carlton (and Russell) that Django shouldn't "encourage" this, since the implementation then requires some special attention.
+1 for deprecating this function
comment:5 by , 2 years ago
Component: | Uncategorized → contrib.auth |
---|---|
Type: | Uncategorized → Cleanup/optimization |
Oopsie
comment:6 by , 2 years ago
Resolution: | wontfix |
---|---|
Status: | closed → new |
Summary: | make_random_password does not comply with AUTH_PASSWORD_VALIDATORS → Deprecate make_random_password() method. |
Triage Stage: | Unreviewed → Accepted |
OK — let's retitle and accept to deprecate then.
@Javier, would you fancy taking that on? (See Deprecating a feature for guidance but happy to advise too.)
Thanks all!
comment:7 by , 2 years ago
Release notes could point to the recipe in the Python stdlib `secrets` module docs — which would be the recommended way to do something in this space if you did have a use-case.
comment:8 by , 2 years ago
Resolution: | → wontfix |
---|---|
Status: | new → closed |
Summary: | Deprecate make_random_password() method. → make_random_password does not comply with AUTH_PASSWORD_VALIDATORS |
Triage Stage: | Accepted → Unreviewed |
Carlton, I added a separate ticket for deprecation, see #33764.
Hi. Erm... I'm not sure what to say here.
Yes, it is.
make_random_password()
is essentially not used at all in the Django codebase.An 11 year old comment from Russell says why:
https://code.djangoproject.com/ticket/15639#comment:2
I think we should probably deprecate and remove this method, rather than try and make it more complex 🤔