On Fri, Oct 8, 2010 at 11:28 AM, Laurent Luce <[email protected]> wrote: > I noticed that create_user() is currently setting password to unusable > if it is None or empty. However, set_password() is accepting an empty > password. I decided to follow the first rule in the patch I submitted > but I am kind of confused now. Can someone indicate what we should > accept as a password?
An empty string isn't a *good* password, but then neither is a single character or a dictionary word, and we don't reject those. Policy decisions like this aren't the domain of a web framework. I'm sure there are also people using an empty password as the "I don't actually want security" password. Plus, there's a history in the free software community of using empty passwords as a protest [1] :-) We can use None to mark an unusable password. Absent of a good technical reason, I don't see why we should reject empty string. As for the remainder of the patch on #14354 -- on the whole, it looks good. I've put some review comments on the ticket. [1] http://en.wikipedia.org/wiki/Richard_Stallman#Early_years Yours, Russ Magee %-) -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
