#33758 closed Cleanup/optimization (wontfix)
make_random_password does not comply with AUTH_PASSWORD_VALIDATORS
| Reported by: | Javier Torres | Owned by: | Sosshi |
|---|---|---|---|
| Component: | contrib.auth | Version: | 4.0 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
The usage of
User.objects.make_random_password()
is limited since the generated passwords are not valid because they were created without meeting the validators criteria.
Change History (9)
comment:1 by , 3 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:3 by , 3 years ago
| Component: | Uncategorized → contrib.auth |
|---|---|
| Resolution: | → wontfix |
| Status: | assigned → closed |
| Type: | Uncategorized → Cleanup/optimization |
I think we should probably deprecate and remove this method, rather than try and make it more complex 🤔
Totally agreed, it's unused since fcd837cd0f9b2c706bc49af509628778d442bb3f. See #33764.
comment:4 by , 3 years ago
| Component: | contrib.auth → Uncategorized |
|---|---|
| Type: | Cleanup/optimization → Uncategorized |
One could imagine use cases for this function. For example a website that automatically creates accounts and sends out the plain passwords (through email, or something more secure) for a first log in - but then forces password change on first use.
But I agree with Carlton (and Russell) that Django shouldn't "encourage" this, since the implementation then requires some special attention.
+1 for deprecating this function
comment:5 by , 3 years ago
| Component: | Uncategorized → contrib.auth |
|---|---|
| Type: | Uncategorized → Cleanup/optimization |
Oopsie
comment:6 by , 3 years ago
| Resolution: | wontfix |
|---|---|
| Status: | closed → new |
| Summary: | make_random_password does not comply with AUTH_PASSWORD_VALIDATORS → Deprecate make_random_password() method. |
| Triage Stage: | Unreviewed → Accepted |
OK — let's retitle and accept to deprecate then.
@Javier, would you fancy taking that on? (See Deprecating a feature for guidance but happy to advise too.)
Thanks all!
comment:7 by , 3 years ago
Release notes could point to the recipe in the Python stdlib `secrets` module docs — which would be the recommended way to do something in this space if you did have a use-case.
comment:8 by , 3 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
| Summary: | Deprecate make_random_password() method. → make_random_password does not comply with AUTH_PASSWORD_VALIDATORS |
| Triage Stage: | Accepted → Unreviewed |
Carlton, I added a separate ticket for deprecation, see #33764.
Hi. Erm... I'm not sure what to say here.
Yes, it is.
make_random_password()is essentially not used at all in the Django codebase.An 11 year old comment from Russell says why:
I think we should probably deprecate and remove this method, rather than try and make it more complex 🤔