#16860: Provide hooks for password policy
------------------------------+------------------------------------
Reporter: PaulM | Owner: nobody
Type: New feature | Status: new
Component: contrib.auth | Version: 1.3
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
------------------------------+------------------------------------
Old description:
> While it is possible to change the validation for new passwords by
> subclassing the form, I think that Django should provide a more friendly
> interface for this. We should have a pluggable password authentication
> framework which enforces no rules by default, but comes with several
> reasonable example policies which may be enabled.
>
> Problems to be solved include:
>
> * Informing the user of the various password requirements
> * Allowing policies to chain together smoothly
> * Provide flexibility for complex requirements (some may include their
> own models)
> * Backwards compatibility
> * Javascript validation assistance (someday, maybe?)
> * HTML5 support (i.e. the pattern attribute)
> * Support for various rate-limiting and lockout schemes
> * support for adding captchas (maybe)
New description:
While it is possible to change the validation for new passwords by
subclassing the form, I think that Django should provide a more friendly
interface for this. We should have a pluggable password authentication
framework which enforces no rules by default, but comes with several
reasonable example policies which may be enabled.
Problems to be solved include:
* Informing the user of the various password requirements
* Allowing policies to chain together smoothly
* Provide flexibility for complex requirements (some may include their
own models)
* Backwards compatibility
* Javascript validation assistance (someday, maybe?)
* HTML5 support (i.e. the pattern attribute)
* Prevent using email, username or other user attributes as (part of)
passwords
* Prevent reuse of old passwords
--
Comment (by shaib):
I replaced two requirements that seem to be applicable to login pages
(rate-limiting & lockout, captcha) with ones more applicable to password
setting (use of user attributes, old password reuse).
--
Ticket URL: <https://code.djangoproject.com/ticket/16860#comment:3>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/063.fef9b5f59fbc8e1ddd488ad0a891f085%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
