id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
4170	Admin password can be set to empty	bruno@…	Adrian Holovaty	"Following this article: http://coderseye.com/2007/howto-reset-the-admin-password-in-django.html it appears that you can use the User model to set any password (including admin) to an empty string without a error message.

{{{
$ sudo ./manage.py shell
Python 2.4.3 (#2, Oct  6 2006, 07:52:30)
[GCC 4.0.3 (Ubuntu 4.0.3-1ubuntu5)] on linux2
Type ""help"", ""copyright"", ""credits"" or ""license"" for more information.
(InteractiveConsole)
>>> from django.contrib.auth.models import User
>>> users = User.objects.all()
>>> users
[<User: bruno>]
>>> users[0].set_password('')
>>> users[0].save()
>>>
}}}

Worst is, if you connect to the admin interface, it lets you in using an empty password."		closed	contrib.admin	dev		wontfix	password admin user auth		Design decision needed	0	0	0	0	0	0