Google Groups

Re: password is None in check_password


Russell Keith-Magee Oct 7, 2010 11:17 PM
Posted in group: Django developers (Contributions to Django itself)
On Fri, Oct 8, 2010 at 11:28 AM, Laurent Luce <lauren...@yahoo.com> wrote:
> I noticed that create_user() is currently setting password to unusable
> if it is None or empty. However, set_password() is accepting an empty
> password. I decided to follow the first rule in the patch I submitted
> but I am kind of confused now. Can someone indicate what we should
> accept as a password?

An empty string isn't a *good* password, but then neither is a single
character or a dictionary word, and we don't reject those. Policy
decisions like this aren't the domain of a web framework.

I'm sure there are also people using an empty password as the "I don't
actually want security" password. Plus, there's a history in the free
software community of using empty passwords as a protest [1] :-)

We can use None to mark an unusable password. Absent of a good
technical reason, I don't see why we should reject empty string.

As for the remainder of the patch on #14354 -- on the whole, it looks
good. I've put some review comments on the ticket.

[1] http://en.wikipedia.org/wiki/Richard_Stallman#Early_years

Yours,
Russ Magee %-)