[ANNOUNCE] Django security advisory: Vulnerability in password reset (master branch only)
191 views
Skip to first unread message
Tim Graham
Nov 21, 2016, 4:13:21 PM11/21/16
to django-announce, django-d...@googlegroups.com, django...@googlegroups.com
We don't normally give security advisories for issues that affect only
the master branch, but in this case we've made an exception as the issue
could be high impact.
Please see the blog post for details:
https://www.djangoproject.com/weblog/2016/nov/21/passwordresetconfirmview-security-advisory/
the master branch, but in this case we've made an exception as the issue
could be high impact.
Please see the blog post for details:
https://www.djangoproject.com/weblog/2016/nov/21/passwordresetconfirmview-security-advisory/
William Hakizimana
Nov 23, 2016, 10:21:13 AM11/23/16
to Django developers (Contributions to Django itself), django-...@googlegroups.com, django...@googlegroups.com
While we are at it, could we implement these NIST new password guidelines into django? Just
Erik Romijn
Nov 23, 2016, 11:03:52 AM11/23/16
to django-d...@googlegroups.com
Hello,
Django has had password validation built in as of 1.9. As far as I can see, all guidelines you refer to are already implemented there, and enabled by default in new projects. Could you elaborate on what changes you think we need to make?
Erik
Django has had password validation built in as of 1.9. As far as I can see, all guidelines you refer to are already implemented there, and enabled by default in new projects. Could you elaborate on what changes you think we need to make?
Erik
--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
To post to this group, send email to django-d...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/71b646e9-9a39-4e47-9aa9-c6cfacd82b6e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
João Sampaio
Nov 24, 2016, 6:12:11 AM11/24/16
to django-d...@googlegroups.com
Two comments:
(1) The documentation says: By default, no validation is performed and all passwords are accepted. So they are not enabled by default in new projects.
(2) There is one recommendation that we are not following: No composition rules. There's a validator to forbid numeric-only passwords, but adding non-numeric characters is illusory complexity, I think. Computers have as hard time to guess alpha-characters as it has to guess digits. It's all bytes to the computer. To the attacker, they will have to test alpha-characters and digits alike, since they don't know if the password is numeric-only. Now, I'm not saying we should follow this, just that we are not, and that's ok. I guess numeric passwords will be easier to guess if the attacker is someone who could see you type your password from a distance and, since you'll only use numbers, that's the hint they need to make their job easier.
On Wed, Nov 23, 2016 at 1:03 PM, Erik Romijn <ero...@solidlinks.nl> wrote:
Hello,
Django has had password validation built in as of 1.9. As far as I can see, all guidelines you refer to are already implemented there, and enabled by default in new projects. Could you elaborate on what changes you think we need to make?
Erik
On 23 Nov 2016, at 16:21, William Hakizimana <will...@gmail.com> wrote:
While we are at it, could we implement these NIST new password guidelines into django? Just
On Monday, November 21, 2016 at 3:13:21 PM UTC-6, Tim Graham wrote:We don't normally give security advisories for issues that affect only
the master branch, but in this case we've made an exception as the issue
could be high impact.
Please see the blog post for details:
https://www.djangoproject.com/weblog/2016/nov/21/passwordresetconfirmview-security-advisory/
--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscribe@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/71b646e9-9a39-4e47-9aa9-c6cfacd82b6e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscribe@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/0D5D730A-3C3E-4886-8C9C-3FEC814F5B1B%40solidlinks.nl.
Aymeric Augustin
Nov 24, 2016, 6:31:56 AM11/24/16
to django-d...@googlegroups.com
On 24 Nov 2016, at 12:12, João Sampaio <jpm...@gmail.com> wrote:(1) The documentation says: By default, no validation is performed and all passwords are accepted. So they are not enabled by default in new projects.
This is the usual (and understandable) confusions between:
- the “default” if you upgrade a project that predates the password validation feature and don’t add an AUTH_PASSWORD_VALIDATORS setting: no validation is performed, for backwards compatibility
- the “default” if you start a new project with startproject after the password validation feature was added, then the generated settings.py will contain a reasonable default for AUTH_PASSWORD_VALIDATORS
Another setting that often causes the same confusion is USE_TZ, the “default if not provided” is False and the “default in project template” is True.
--
Aymeric.
João Sampaio
Nov 24, 2016, 7:29:56 AM11/24/16
to django-d...@googlegroups.com
Oh, right! I didn't think of that! Thanks for the correction.
--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscribe@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/4A092142-4751-4F87-BCB8-C25CE43DDFA3%40polytechnique.org.
Aymeric Augustin
Nov 24, 2016, 7:52:15 AM11/24/16
to django-d...@googlegroups.com
On 24 Nov 2016, at 13:29, João Sampaio <jpm...@gmail.com> wrote:
> Oh, right! I didn't think of that! Thanks for the correction.
Don’t apologize, it’s an annoying usability issue.
> Oh, right! I didn't think of that! Thanks for the correction.
I’d be in favor of breaking backwards compatibility to fix it.
--
Aymeric.
Brenton Cleeland
Nov 24, 2016, 8:48:25 AM11/24/16
to django-d...@googlegroups.com
An easy improvement from the NIST guidelines would be to increase the size of Django's common passwords list.
Django currently includes 1,000, the linked NIST summary suggests using 100,000 (!!).
On Thu, Nov 24, 2016 at 3:03 AM, Erik Romijn <ero...@solidlinks.nl> wrote:
Hello,
Django has had password validation built in as of 1.9. As far as I can see, all guidelines you refer to are already implemented there, and enabled by default in new projects. Could you elaborate on what changes you think we need to make?
Erik
On 23 Nov 2016, at 16:21, William Hakizimana <will...@gmail.com> wrote:
While we are at it, could we implement these NIST new password guidelines into django? Just
On Monday, November 21, 2016 at 3:13:21 PM UTC-6, Tim Graham wrote:We don't normally give security advisories for issues that affect only
the master branch, but in this case we've made an exception as the issue
could be high impact.
Please see the blog post for details:
https://www.djangoproject.com/weblog/2016/nov/21/passwordresetconfirmview-security-advisory/
--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscribe@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/71b646e9-9a39-4e47-9aa9-c6cfacd82b6e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscribe@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/0D5D730A-3C3E-4886-8C9C-3FEC814F5B1B%40solidlinks.nl.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages