Admin password can be set to empty

[bruno@…]

Following this article: ​http://coderseye.com/2007/howto-reset-the-admin-password-in-django.html it appears that you can use the User model to set any password (including admin) to an empty string without a error message.

$ sudo ./manage.py shell
Python 2.4.3 (#2, Oct  6 2006, 07:52:30)
[GCC 4.0.3 (Ubuntu 4.0.3-1ubuntu5)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
(InteractiveConsole)
>>> from django.contrib.auth.models import User
>>> users = User.objects.all()
>>> users
[<User: bruno>]
>>> users[0].set_password('')
>>> users[0].save()
>>>

Worst is, if you connect to the admin interface, it lets you in using an empty password.

[Simon G. <dev@…>]

We should probably fix the empty-password-allowing-login issue in admin at least.

[James Bennett]

I'm not sure there's actually a bug here; Django lets you set your password to anything you like, and while this may sound harsh, it's up to a user not to set a really bad password.

[James Bennett]

(and the reason why the empty-string password works, btw, is that the DB ends up storing the salted SHA1 hash of an empty string, not the empty string itself)

[Simon G. <dev@…>]

Hmm.. I can definitely see both points of view here.

It just feels *wrong* to allow an empty password ever. *However*, the admin site does prevent you from changing your password to an empty one (not directly though - you get a "this field is required" validation error). The only way to change this to an empty password is via the User model (either via set_password or directly modifying it), and if a malicious user has access to that, then you have bigger issues to deal with.

I've marked this as wontfix, but if anyone else has anything to add, please jump in.