UserAttributeSimilarityValidator
MinimumLengthValidator
CommonPasswordValidator
NumericPasswordValidator
class HasLowerCaseValidator:
def __init__(self):
self.message = "The password must contain at least one lowercase character."
def validate(self, password, user=None):
if re.search('[a-z]', password) is None:
raise ValidationError(
self.message,
code='missing_lower_case',
)
def get_help_text(self):
return self.message
class HasUpperCaseValidator:
def __init__(self):
self.message = "The password must contain at least one uppercase character."
def validate(self, password, user=None):
if re.search('[A-Z]', password) is None:
raise ValidationError(
self.message,
code='missing_upper_case',
)
def get_help_text(self):
return self.message
class HasNumberValidator:
def __init__(self):
self.message = "The password must contain at least one numeric character."
def validate(self, password, user=None):
if re.search('[0-9]', password) is None:
raise ValidationError(
self.message,
code='missing_numeric',
)
def get_help_text(self):
return self.message
class HasSymbolValidator:
def __init__(self):
self.message = "The password must contain at least one non-alphanumeric character (symbol)."
def validate(self, password, user=None):
if re.search('[^A-Za-z0-9]', password) is None:
raise ValidationError(
self.message,
code='missing_symbol',
)
def get_help_text(self):
return self.message
Regards,
Mehmet
--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
To post to this group, send email to django-d...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAL13Cg_%2BKMi2naSExPR0MVvBb0JnY%3DFV7A6goDHeaTWRoSpaJQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAMyDDM3PLGC%2B_y6SUsA_yOAuZqzfRZiyqOVbpsq%3DNbex%2B-eNjg%40mail.gmail.com.
Hey James,
Thank you for the resources you provided. I really learned a lot. Here are a few points (references/details at the very bottom):
i. A complex 8-character password had entropy of 34.3 where as a basic 8-character one had 29.43 (calculated with the specific method mentioned in the article). Not a huge difference, however not too bad either, that is about 17% gain.
ii. 188/972 (=20%) of the basic-8 passwords was cracked (with the tool mentioned in the article), whereas this number is 0 (zero) for the complex-8 group. A big difference there.
iii. About 15% of the basic group wrote down their passwords, either electronically or paper and pencil, where as this number is about 27% for the complex. Simpler passwords is the winner here, however one should not forget, written passwords are expected have their own protection (of some sort). Another thing to consider is that, if one is targeted individually, a written password might be a big vulnerability; however, for general account/password screenings this may not be as bad.
All in all, I say, password complexity has benefits; although not as much as one would expect.
Bottom line; I think password complexity do have some benefits, and inclusion in Django would provide options, and save time to those who would like to use them. Regards,
Mehmet
References/Details:
--
You received this message because you are subscribed to a topic in the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/django-developers/Xlovt28QIDo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to django-develop...@googlegroups.com.
2 points I forgot to mention:
Mehmet
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
To post to this group, send email to django-d...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/5b8983f4.1c69fb81.971e7.10d8%40mx.google.com.
Scot,
This is nice, thank you for sharing. I think something like this + an up to date black list should be good enough.
Mehmet
From: Scot Hacker
Sent: Saturday, September 1, 2018 8:38 PM
To: Django developers (Contributions to Django itself)
Subject: Re: New Password Validators
Rather than enforce an arbitrary set of password construction rules, I prefer systems that gauge password strength as an overall entropy score, then let sites establish the minimum overall strength they require. How that strength is achieved is up to each user - uou can either go short and random, or long and memorable. Length trumps pretty much all other factors, especially if you disallow strings such as the user's own username, email, company name, etc.). Dropbox created a system like this called zxcvbn and open sourced it. It was then ported to python.
--
You received this message because you are subscribed to a topic in the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/django-developers/Xlovt28QIDo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to django-develop...@googlegroups.com.
To post to this group, send email to django-d...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/de03b9dd-ef24-4ee6-a7fd-287e79304465%40googlegroups.com.