#36179: hexed strings in common passwords database are not handled
-------------------------------------+-------------------------------------
Reporter: Michel Le Bihan | Owner: (none)
Type: Bug | Status: new
Component: contrib.auth | Version: 5.1
Severity: Normal | Resolution:
Keywords: | Triage Stage:
CommonPasswordValidator | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Description changed by Michel Le Bihan:
Old description:
> Hello,
>
> The common passwords database file
> (https://github.com/django/django/blob/main/django/contrib/auth/common-
> passwords.txt.gz) used by CommonPasswordValidator contains hexed strings
> like `$hex[617364666a6b6c3a]` on line 1679. That decodes to `asdfjkl:`
> which I believe is a common password that was intended to be included in
> the database. Another example is `$hex[2623323333363a]` on line 8616 that
> decodes to `ठ:`. I see that
> https://gist.github.com/roycewilliams/226886fd01572964e1431ac8afc999ce
> contains the line `
> 50334:72aff1cfd90a90fd4174eb6dfdff5df7bbbe7e5b:$HEX[617364666a6b6c3a]`
> and `echo -n 'asdfjkl:' | sha1sum` produces
> `72aff1cfd90a90fd4174eb6dfdff5df7bbbe7e5b`. CommonPasswordValidator does
> not handle those hexed strings which I believe is wrong.
>
> I propose to update the database file to decode the hexed values and
> remove those that obviously can't be entered by a user.
New description:
Hello,
The common passwords database file
(https://github.com/django/django/blob/main/django/contrib/auth/common-
passwords.txt.gz) used by CommonPasswordValidator contains hexed strings
like `$hex[617364666a6b6c3a]` on line 1679. That decodes to `asdfjkl:`
which I believe is a common password that was intended to be included in
the database. Another example is `$hex[2623323333363a]` on line 8616 that
decodes to `ठ:`. I see that
https://gist.github.com/roycewilliams/226886fd01572964e1431ac8afc999ce
contains the line
`50334:72aff1cfd90a90fd4174eb6dfdff5df7bbbe7e5b:$HEX[617364666a6b6c3a]`
and `echo -n 'asdfjkl:' | sha1sum` produces
`72aff1cfd90a90fd4174eb6dfdff5df7bbbe7e5b`. CommonPasswordValidator does
not handle those hexed strings which I believe is wrong.
I propose to update the database file to decode the hexed values and
remove those that obviously can't be entered by a user.
--
--
Ticket URL: <https://code.djangoproject.com/ticket/36179#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/01070194ead19c50-7f0929c0-e71b-4f62-8619-472254de6ef3-000000%40eu-central-1.amazonses.com.
