Skip to content

Enable auth validate passwords #5696

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 15, 2019
Merged

Enable auth validate passwords #5696

merged 2 commits into from
May 15, 2019

Conversation

humitos
Copy link
Member

@humitos humitos commented May 14, 2019

Define some simple validators to use when creating a new user or
changing the password.

https://docs.djangoproject.com/en/1.11/topics/auth/passwords/#module-django.contrib.auth.password_validation

Closes #5551

@humitos humitos requested review from davidfischer and a team May 14, 2019 09:56
ericholscher
ericholscher reviewed May 14, 2019
View reviewed changes
Copy link
Member

@ericholscher ericholscher left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not convinced we should turn these on for dev. I have to type these passwords all the time, and really don't want them to be real passwords.

readthedocs/settings/base.py
'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
},
{
'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
Copy link
Member

@ericholscher ericholscher May 14, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I really dislike these defaults in dev. I think these should likely only be prod settings, or disabled explicitly in dev settings.

@davidfischer
Copy link
Contributor

I'm in favor of these settings being present in the base settings file as they are in this PR. This helps others who take our code to do the right thing as well as ensuring that all the different instances we control (community site, corporate site, etc.) have sound security defaults.

I can understand @ericholscher's position and we could also set AUTH_PASSWORD_VALIDATOR=[] in dev.py to ease the development settings.

davidfischer
davidfischer reviewed May 14, 2019
View reviewed changes
@humitos
Copy link
Member Author

humitos commented May 14, 2019

I can understand @ericholscher's position and we could also set AUTH_PASSWORD_VALIDATOR=[] in dev.py to ease the development settings.

I like this. I will update the PR for this.

davidfischer
davidfischer approved these changes May 14, 2019
View reviewed changes
Copy link
Contributor

@davidfischer davidfischer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also verified that django-allauth will use this setting.

@humitos humitos merged commit 2fa1989 into master May 15, 2019
@delete-merged-branch delete-merged-branch bot deleted the humitos/auth-password-validators branch May 15, 2019 15:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ericholscher ericholscher ericholscher left review comments

@davidfischer davidfischer davidfischer approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Local instance allows weak passwords
3 participants
@humitos @davidfischer @ericholscher