On Sat, Nov 27, 2010 at 1:57 AM, Serge Spaolonzi (Cobalys.com) <[email protected]> wrote: > Hi, > I have been working with Django for two years, in order to fit my > systems requirements i have changes some parts of the Django code, One > of them the Authorization Framework i have added the next features: > > -Password Strength Validation with cracklib. > -Maximum Login attempts. > > I want to ask for those features and merge my code with the official > Django code. > > This is my code for the password strength validation: > > Line 156 from Method clean_new_password2(self) from /django/contrib/ > auth/forms.py: > > def clean_new_password2(self): > password1 = self.cleaned_data.get('new_password1') > password2 = self.cleaned_data.get('new_password2') > if password1 and password2: > import crack > # Increase the number of credits required from the default of 8 > if you want. > crack.min_length = 8 > try: > crack.VeryFascistCheck(password1) > except ValueError, message: > raise forms.ValidationError("Weak Password, %s." % > str(message)) > > if password1 != password2: > raise forms.ValidationError("Passwords do not match. > Please try again.") > return password2 > > > Original Method: > > def clean_new_password2(self): > password1 = self.cleaned_data.get('new_password1') > password2 = self.cleaned_data.get('new_password2') > if password1 and password2: > if password1 != password2: > raise forms.ValidationError(_("The two password fields > didn't match.")) > return password2 > > > -That code i have published includes the import statement inside the > method, i did that only to avoid post the entire file here. The code i > have is more clean. > -It requires cracklib and python-cracklib
I'm happy to entertain the idea of providing an extension point where you can define a password strength function, but I'm not about to introduce a default policy. This is for two reasons: * Appropriate password strength is a policy issue, not a framework issue. *You* may think that cracklib gives a good measure of password strength, but others will think it is too much, and others will think it's not enough. * Availiability of downstream libraries. Django, by design, works out of the box with a minimum of dependencies. So - if you can rephrase this in terms of a function/class API where someone can define a mechanism for enforcing password strength, and provide two implementations (the "any password is OK" policy and the "cracklib policy" would be enough), then I can see this being a good addition to Django. Yours, Russ Magee %_) -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
