#30442: Add additional validators to auth/password_validation.py
-------------------------------------+-------------------------------------
Reporter: Brad | Owner: nobody
Type: New | Status: new
feature |
Component: | Version: 2.2
contrib.auth | Keywords: validators,
Severity: Normal | password
Triage Stage: | Has patch: 1
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
PR: https://github.com/django/django/pull/11319
Add the following validator classes:
NoAmbiguousCharactersValidator
Validate that the password does not contain ambiguous characters.
The default set of ambiguous characters is:
{ 0, 1, I, i, l, |, O, o }
NoRepeatSubstringsValidator
Validate that the password does not contain repeated substrings
longer than a given threshold.
NoSequentialCharsValidator
Validate that the password does not contain sequential repeated
characters.
ShannonEntropyValidator
Validate that the password is sufficiently complex via the
Shannon Entropy score.
Also add an __all__ dunder to contrib/auth/password_validation.py
that contains both top-level module functions and the full set
of validator classes.
Also add respective tests for each of the 4 new classes in
auth_test/test_validators.py. Each, at a minimum, tests
`.validate()` and `.get_help_text()` in a manner similar to the
existing tests from that module.
--------------------------------------
Why add these classes?
These classes should be added in the spirit of _more validation is almost
always better._ These classes `.validate()` are meant to be
straightforward, quick, and lightweight. They offer checks that are
not captured by the existing validators.
One piece of food for thought is to more thoroughly document that
rules-based password validation can be a fool's errand depending on
how you structure it. These days, the consensus seems to be moving
towards the conclusion that users should no longer focus on passwords
to passphrases. The idea here is that *entropy is king*:
a 38-character all-lowercase password could have 170 bits of entropy
but fail a basic "mixed case letters" test. In other words, all of
the validators are best used in combination, and it should be
advertised everywhere possible that they provide _negative_ checks
in many cases rather than positive ones.
--
Ticket URL: <https://code.djangoproject.com/ticket/30442>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/055.fe315e293f809823e65374b5299ddc52%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
