I don't think removing the default list from the template is the right idea. We'd be sacrificing some production users that don't go through security options on deployment checklists to better support development environments where the security issue (probably) isn't present. I do think we need some kind of solution though, because I don't want these validators in development either. Personally, I have no issue with adding a SETTING=[] to my local_settings. It would be nicer to drive a solution based on DEBUG though.
Cheers On Tuesday, 8 September 2015 09:26:36 UTC+10, Tim Graham wrote: > > I think the simplest solution could be to remove the default list of > AUTH_PASSWORD_VALIDATORS that have been added to the project template > settings file and let the user add it to their own production settings > instead. Do you think this reduces the usefulness of the feature? We could > add a deployment check for an empty AUTH_PASSWORD_VALIDATORS as an > alternate way of encouraging its use. > > On Monday, September 7, 2015 at 5:40:58 PM UTC-4, Aron Podrigal wrote: >> >> +1 >> On Sep 7, 2015 4:56 PM, "Shai Berger" <[email protected]> wrote: >> >>> On Monday 07 September 2015 20:09:06 Marc Tamlyn wrote: >>> > I agree with Aymeric and Markus that createsuperuser should not >>> validate >>> > strength of passwords when DEBUG is on. Having to use a secure >>> password for >>> > development/test accounts is an unnecessary level of interference for >>> > users. >>> > >>> > I agree its safer to prevent using admin/admin in production and this >>> is a >>> > good thing, but there's no reason to prevent this for development. In >>> fact, >>> > I'd argue enforcing it for development will encourage teams to have a >>> > "standard" secure password for their sites, which is also used in >>> > production. By allowing admin/admin in development, and enforcing >>> something >>> > better in production we are more helpfully enforcing best practice. >>> > >>> +1. >>> >>> Shai. >>> >> -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/1aba1352-89ba-4cfe-a789-77430c504026%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
