Context Navigation

← Previous Ticket
Next Ticket →

#36179 new Bug

hexed strings in common passwords database are not handled

Reported by:	Michel Le Bihan	Owned by:	Michel Le Bihan
Component:	contrib.auth	Version:	5.1
Severity:	Normal	Keywords:	CommonPasswordValidator
Cc:		Triage Stage:	Accepted
Has patch:	yes	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	no
Easy pickings:	no	UI/UX:	no

Description (last modified by Michel Le Bihan)

Hello,

The common passwords database file (https://github.com/django/django/blob/main/django/contrib/auth/common-passwords.txt.gz) used by CommonPasswordValidator contains hexed strings like $hex[617364666a6b6c3a] on line 1679. That decodes to asdfjkl: which I believe is a common password that was intended to be included in the database. Another example is $hex[2623323333363a] on line 8616 that decodes to &#2336:. I see that https://gist.github.com/roycewilliams/226886fd01572964e1431ac8afc999ce contains the line 50334:72aff1cfd90a90fd4174eb6dfdff5df7bbbe7e5b:$HEX[617364666a6b6c3a] and echo -n 'asdfjkl:' | sha1sum produces 72aff1cfd90a90fd4174eb6dfdff5df7bbbe7e5b. CommonPasswordValidator does not handle those hexed strings which I believe is wrong.

I propose to update the database file to decode the hexed values and remove those that obviously can't be entered by a user.

Change History (9)

comment:1 by Michel Le Bihan, 3 days ago

Description:	modified (diff)

comment:2 by Michel Le Bihan, 3 days ago

Has patch:	set

comment:3 by Antoliny, 3 days ago

Owner:	set to Michel Le Bihan
Status:	new → assigned

comment:4 by Sarah Boyce, 2 days ago

Resolution:	→ invalid
Status:	assigned → closed

Thank you for the ticket
I think you are referring to there passwords asdfjkl; and ठ (; not :) which are validating correctly, the others are not in the list

comment:5 by Michel Le Bihan, 2 days ago

Hello,

I'm referring to those with : at the end. Please just search $hex in that file and you will notice the issue.

comment:6 by Michel Le Bihan, 2 days ago

Resolution:	invalid
Status:	closed → new

comment:7 by Michel Le Bihan, 2 days ago

Please see this line: https://gist.github.com/roycewilliams/226886fd01572964e1431ac8afc999ce#file-pwnedpasswords-v6-top20k-txt-L1728

comment:8 by Sarah Boyce, 2 days ago

Triage Stage:	Unreviewed → Accepted

Ah thank you!
Folks can de-hex using this tool: https://www.rapidtables.com/convert/number/hex-to-ascii.html

Here is a regression test:

tests/auth_tests/test_validators.py

                class CommonPasswordValidatorTest(SimpleTestCase):
             CommonPasswordValidator().validate("godzilla")
         self.assertEqual(cm.exception.messages, [expected_error])
+    def test_common_hexed_codes(self):
+        expected_error = "This password is too common."
+        common_hexed_passwords = ["asdfjkl:", "&#2336:"]
+        for password in common_hexed_passwords:
+            with self.subTest(password=password):
+                with self.assertRaises(ValidationError) as cm:
+                    CommonPasswordValidator().validate(password)
+                self.assertEqual(cm.exception.messages, [expected_error])
     def test_validate_custom_list(self):
         path = os.path.join(

comment:9 by Michel Le Bihan, 2 days ago

I sent a patch that unhexes the values in the database: https://github.com/django/django/pull/19155

Note: See TracTickets for help on using tickets.

Download in other formats:

Issues