Django Password Validation
Arun S
I have a small issue with the Validation of Passwords in the Change Password Page.
Due to certain different requirements, i have written my own Custom Forms for Change Password.
Now in this, I would want to first Validate the Old Password Field with the Current Users Password.
The Problem i am facing here is that the OldPassword Field provides me a Password in Raw String Format.
But the user.password returns a Hashed Output of the Users Password
And for obvious Reasons, the Validation fails between OldPassword and the User.Password.
In many forums i checked that the Reverse way to get the Passed from the Hashed Values is not possible.
So my only way to do this validation is through Encrypting the OldPassword and then Comparing the Hash.
But i am not sure how to do that.
Can some one please tell me how is this possible to achieve and what are the Apis that i can use to get the Password to be compared.
Arun.
orzodk
form. It will return the user object if the password was correct, or
None if it wasn't.
For more information and an example see the docs:
https://docs.djangoproject.com/en/1.9/topics/auth/default/#auth-web-requests
James Schneider
Hi ,
I have a small issue with the Validation of Passwords in the Change Password Page.
Due to certain different requirements, i have written my own Custom Forms for Change Password.
Now in this, I would want to first Validate the Old Password Field with the Current Users Password.
The Problem i am facing here is that the OldPassword Field provides me a Password in Raw String Format.
But the user.password returns a Hashed Output of the Users Password
And for obvious Reasons, the Validation fails between OldPassword and the User.Password.
In many forums i checked that the Reverse way to get the Passed from the Hashed Values is not possible.
So my only way to do this validation is through Encrypting the OldPassword and then Comparing the Hash.
But i am not sure how to do that.
Can some one please tell me how is this possible to achieve and what are the Apis that i can use to get the Password to be compared.
Arun S
Thanks for the Suggestion.
James, in the option that you provided makes the User change the Password of the Logged in user which might turn out to be a costly operation.
But Yes, validating within the View and then using Authenticate() does sound easier.
https://docs.djangoproject.com/en/1.9/topics/auth/default/#auth-web-requests
I shall check this.
Thanks.
James Schneider
>
> Thanks for the Suggestion.
> James, in the option that you provided makes the User change the Password of the Logged in user which might turn out to be a costly operation.
Not entirely sure what you mean?
If you make the username available to the ModelForm class (either as a field value or a raw value passed in during the ModelForm initialization), then you simply run authenticate() as part of your validation process.
Validating within the view ensures that request.user is already available for testing (assuming default middleware).
The only time that an extra query would be incurred is if you needed to pull the user object based on the ID in order to grab the username. I wouldn't consider 1 indexed query as 'costly', especially for an operation that would executed relatively infrequently compared to the load generated by the rest of the site (obviously the frequency is dependent on your site traffic levels).
I'd implement the easiest way for now and evaluate the whole process if you determine it is a source of stress for your DB, which is unlikely in the short and medium term.
-James