Security comes first, so the should stay on by default.
True, security comes first, but from the philosophical point of view, I wouldn't like forcing by default any particular password policy to the users. If I understood it right, it isn't just a simple warning that says your password is too weak and lets you continue: it blatantly refuses to set that password for you. That is what I don't like.
Some other related questions also come to my mind: What exactly are we considering a secure password? Why not leave the validator list empty by default and document the feature on the security checklist, with the rest of deployment-related features that aren't on by default?
Don't take me wrong, I *do* think this is a great feature, but it should be the developers choice to turn it on.
-- unai -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/20150907173044.GC11490%40def. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: Digital signature
