Enable password strength validation by default

Use Django's built-in password validators with reasonable settings, and add a basic complexity validator since there isn't one provided. Additionally, fix the registration form so that it shows the help text which includes a description of what the password requirements are. Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
2025-07-19 12:49:01 +02:00 · 2018-10-19 15:32:04 +13:00 · 2018-10-19 15:32:04 +13:00 · 5d308d943e
commit 5d308d943e
parent 55d6840072
4 changed files with 72 additions and 0 deletions
--- a/docker/settings.py
+++ b/docker/settings.py
@ -162,6 +162,28 @@ AUTHENTICATION_BACKENDS = [
    'django.contrib.auth.backends.ModelBackend',
 ]

+# Password validation
+AUTH_PASSWORD_VALIDATORS = [
+    {
+        'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
+    },
+    {
+        'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
+        'OPTIONS': {
+            'min_length': 8,
+        }
+    },
+    {
+        'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
+    },
+    {
+        'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
+    },
+    {
+        'NAME': 'password_validation.ComplexityValidator',
+    },
+]
+
 REST_FRAMEWORK = {
    'DEFAULT_PERMISSION_CLASSES': (
        'layerindex.restperm.ReadOnlyPermission',
--- a/password_validation.py
+++ b/password_validation.py
@ -0,0 +1,25 @@
+from django.core.exceptions import ValidationError
+from django.utils.translation import ugettext as _
+
+import re
+
+class ComplexityValidator(object):
+    def validate(self, password, user=None):
+        score = 0
+        if re.search('[0-9]', password):
+            score += 1
+        if password.lower() != password:
+            score += 1
+        if re.search('[^a-zA-Z0-9]', password):
+            score += 1
+
+        if score < 2:
+            raise ValidationError(
+                _("This password does not contain at least two of: upper/lowercase characters; a number; a special (non-alphanumeric) character."),
+                code='password_too_simple'
+            )
+
+    def get_help_text(self):
+        return _(
+            "Your password must contain at least two of: upper/lowercase characters; a number; a special (non-alphanumeric) character"
+        )
--- a/settings.py
+++ b/settings.py
@ -162,6 +162,28 @@ AUTHENTICATION_BACKENDS = [
    'django.contrib.auth.backends.ModelBackend',
 ]

+# Password validation
+AUTH_PASSWORD_VALIDATORS = [
+    {
+        'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
+    },
+    {
+        'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
+        'OPTIONS': {
+            'min_length': 8,
+        }
+    },
+    {
+        'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
+    },
+    {
+        'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
+    },
+    {
+        'NAME': 'password_validation.ComplexityValidator',
+    },
+]
+
 REST_FRAMEWORK = {
    'DEFAULT_PERMISSION_CLASSES': (
        'layerindex.restperm.ReadOnlyPermission',
--- a/templates/registration/registration_form.html
+++ b/templates/registration/registration_form.html
@ -20,6 +20,9 @@
            <div class="controls">
                {{ field }}
            </div>
+        <p>
+        {{ field.help_text|safe }}
+        </p>
        </div>
    {% endfor %}