I think the simplest solution could be to remove the default list of AUTH_PASSWORD_VALIDATORS that have been added to the project template settings file and let the user add it to their own production settings instead. Do you think this reduces the usefulness of the feature? We could add a deployment check for an empty AUTH_PASSWORD_VALIDATORS as an alternate way of encouraging its use.
On Monday, September 7, 2015 at 5:40:58 PM UTC-4, Aron Podrigal wrote: > > +1 > On Sep 7, 2015 4:56 PM, "Shai Berger" <[email protected] <javascript:>> > wrote: > >> On Monday 07 September 2015 20:09:06 Marc Tamlyn wrote: >> > I agree with Aymeric and Markus that createsuperuser should not validate >> > strength of passwords when DEBUG is on. Having to use a secure password >> for >> > development/test accounts is an unnecessary level of interference for >> > users. >> > >> > I agree its safer to prevent using admin/admin in production and this >> is a >> > good thing, but there's no reason to prevent this for development. In >> fact, >> > I'd argue enforcing it for development will encourage teams to have a >> > "standard" secure password for their sites, which is also used in >> > production. By allowing admin/admin in development, and enforcing >> something >> > better in production we are more helpfully enforcing best practice. >> > >> +1. >> >> Shai. >> > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/39fe284c-9115-4166-89ab-9fa02f5a34e9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
