New Password Validators
Mehmet Dogan
UserAttributeSimilarityValidator
MinimumLengthValidator
CommonPasswordValidator
NumericPasswordValidator
class HasLowerCaseValidator:
def __init__(self):
self.message = "The password must contain at least one lowercase character."
def validate(self, password, user=None):
if re.search('[a-z]', password) is None:
raise ValidationError(
self.message,
code='missing_lower_case',
)
def get_help_text(self):
return self.message
class HasUpperCaseValidator:
def __init__(self):
self.message = "The password must contain at least one uppercase character."
def validate(self, password, user=None):
if re.search('[A-Z]', password) is None:
raise ValidationError(
self.message,
code='missing_upper_case',
)
def get_help_text(self):
return self.message
class HasNumberValidator:
def __init__(self):
self.message = "The password must contain at least one numeric character."
def validate(self, password, user=None):
if re.search('[0-9]', password) is None:
raise ValidationError(
self.message,
code='missing_numeric',
)
def get_help_text(self):
return self.message
class HasSymbolValidator:
def __init__(self):
self.message = "The password must contain at least one non-alphanumeric character (symbol)."
def validate(self, password, user=None):
if re.search('[^A-Za-z0-9]', password) is None:
raise ValidationError(
self.message,
code='missing_symbol',
)
def get_help_text(self):
return self.message
Regards,
Mehmet
James Bennett
Adam Johnson
--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
To post to this group, send email to django-d...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAL13Cg_%2BKMi2naSExPR0MVvBb0JnY%3DFV7A6goDHeaTWRoSpaJQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Anand Mishra
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAMyDDM3PLGC%2B_y6SUsA_yOAuZqzfRZiyqOVbpsq%3DNbex%2B-eNjg%40mail.gmail.com.
This message contains confidential information and is intended only for the individual named. If you are not the name addressee you should not disseminate, distribute or copy this e-mail. You cannot use or forward any attachments in the email. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. Analytics Vidhya Educon Private Limited, DLF Phase 2, Gurgaon, India, www.analyticsvidhya.com
Mehmet Dogan
Hey James,
Thank you for the resources you provided. I really learned a lot. Here are a few points (references/details at the very bottom):
- Blacklisting: Seems to be most effective, I agree. However, Django does not seem to be up to date on this either. The list of 1000 most common password it uses seem to be taken from an URL which is not available anymore, and the page it redirects to is dated 2011! So the list is at least around 10 years old, and it does not catch all of top 25 words listed on Wikipedia. Samples of passwords it allows: qwertyuiop, 987654321, 1234567890, abcdefgh
- Are Complexity Requirements Deprecated?: I checked changing my password for 3 major tech companies: Gmail, Microsoft account, and for my Apple Id. Only Gmail did not require password complexity. So, most do require password complexity although they do have 2-factor authentication in place. Most Django deployments, more than 95% I assume, would not have 2-factor authentication, so password complexity is more needed.
- Do Complexity Requirements Work?:
- Research: From the resources you linked, I read one article (ref’ed below). Here are key findings:
i. A complex 8-character password had entropy of 34.3 where as a basic 8-character one had 29.43 (calculated with the specific method mentioned in the article). Not a huge difference, however not too bad either, that is about 17% gain.
ii. 188/972 (=20%) of the basic-8 passwords was cracked (with the tool mentioned in the article), whereas this number is 0 (zero) for the complex-8 group. A big difference there.
iii. About 15% of the basic group wrote down their passwords, either electronically or paper and pencil, where as this number is about 27% for the complex. Simpler passwords is the winner here, however one should not forget, written passwords are expected have their own protection (of some sort). Another thing to consider is that, if one is targeted individually, a written password might be a big vulnerability; however, for general account/password screenings this may not be as bad.
All in all, I say, password complexity has benefits; although not as much as one would expect.
- Complexity and Blacklisting Can Interoperate: For the simple case of “Password1!” mentioned below, the best method to tackle, I think, would be 1) remove the numbers and characters at the end 2) lowercase the first character 3) lookup in the black list. In other words, tackle the thinking pattern algorithmically, not by listing cases in a text file.
- Complexity support blacklisting: Check this list of common passwords, for example: https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/500-worst-passwords.txt (provided by the Author of the Django’s list of common passwords). Most items there are either all lowercase or all numbers etc. By just requiring 1 upper case character, one could know off 60% off them. Adding a number, and a symbol requirement would easily bring that up to 95%.. Sure, those who are committed to not password protecting their accounts would find something in the remaining 5% (as in the example of “Password1!”), howerver, policies would be made for the mainstream, not for the extremes.
Bottom line; I think password complexity do have some benefits, and inclusion in Django would provide options, and save time to those who would like to use them. Regards,
Mehmet
References/Details:
- URL referenced in Django for the list of 1000 most common passwords : https://xato.net/passwords/more-top-worst-passwords/
(location: django\contrib\auth\password_validation.py)
Wikipedia: https://en.wikipedia.org/wiki/List_of_the_most_common_passwords - G-Mail: Use at least 8 characters. Don’t use a password from another site, or something too obvious like your pet’s name.
Microsoft Account: Strong passwords contain at least 8 characters, do not include common words or names, and combine uppercase letters, lowercase letters, numbers, and symbols.
Apple Id: Your password must have: i) 8 or more characters ii) Upper & lowercase letters iii) At least one number - a) Article: Of Passwords and People: Measuring the Effect of Password-Composition Policies (https://www.archive.ece.cmu.edu/~lbauer/papers/2011/chi2011-passwords.pdf). I picked this article since its name suggested it is very related to our topic, and that CMU is a reputable university.
--
You received this message because you are subscribed to a topic in the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/django-developers/Xlovt28QIDo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to django-develop...@googlegroups.com.
Mehmet Dogan
2 points I forgot to mention:
- I think it would be interesting to look at what other web frameworks are doing, e.g., Ruby on Rails
- If what I offered is not added, I think it makes more sense to remove similar ones (e.g., NumericPasswordValidator) from Django to make it self consistent.
Mehmet
Dan Davis
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
To post to this group, send email to django-d...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/5b8983f4.1c69fb81.971e7.10d8%40mx.google.com.
James Bennett
Scot Hacker
Mehmet Dogan
Scot,
This is nice, thank you for sharing. I think something like this + an up to date black list should be good enough.
Mehmet
From: Scot Hacker
Sent: Saturday, September 1, 2018 8:38 PM
To: Django developers (Contributions to Django itself)
Subject: Re: New Password Validators
Rather than enforce an arbitrary set of password construction rules, I prefer systems that gauge password strength as an overall entropy score, then let sites establish the minimum overall strength they require. How that strength is achieved is up to each user - uou can either go short and random, or long and memorable. Length trumps pretty much all other factors, especially if you disallow strings such as the user's own username, email, company name, etc.). Dropbox created a system like this called zxcvbn and open sourced it. It was then ported to python.
--
You received this message because you are subscribed to a topic in the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/django-developers/Xlovt28QIDo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to django-develop...@googlegroups.com.
To post to this group, send email to django-d...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/de03b9dd-ef24-4ee6-a7fd-287e79304465%40googlegroups.com.