I agree with James and Adams, password validation rules depend on business and should not be forced by core onto developers
> On Aug 31, 2018, at 12:52 PM, Adam Johnson <m...@adamj.eu> wrote: > > I agree with James, Django core shouldn't include these. If your organization > requires you to implement such practices despite their problems, add your own > password validators, and maybe distribute them in a third party package! > > On Fri, 31 Aug 2018 at 06:32, James Bennett <ubernost...@gmail.com > <mailto:ubernost...@gmail.com>> wrote: > This type of enforced "complexity" does not increase security, and relevant > standards groups now recommend not trying to enforce these rules. > > Quoting US NIST 800-63B, Appendix A: > > > As noted above, composition rules are commonly used in an attempt to > > increase the difficulty of guessing user-chosen passwords. Research has > > shown, however, that users respond in very predictable ways to the > > requirements imposed by composition rules [Policies]. For example, a user > > that might have chosen “password” as their password would be relatively > > likely to choose “Password1” if required to include an uppercase letter and > > a number, or “Password1!” if a symbol is also required. > > The NIST guidelines now say (800-63B §5.1.1.1): > > > Memorized secrets SHALL be at least 8 characters in length if chosen by the > > subscriber. Memorized secrets chosen randomly by the CSP or verifier SHALL > > be at least 6 characters in length and MAY be entirely numeric. If the CSP > > or verifier disallows a chosen memorized secret based on its appearance on > > a blacklist of compromised values, the subscriber SHALL be required to > > choose a different memorized secret. No other complexity requirements for > > memorized secrets SHOULD be imposed. > > I would be against adding validators to Django to try to enforce these > deprecated practices. > > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-developers+unsubscr...@googlegroups.com > <mailto:django-developers+unsubscr...@googlegroups.com>. > To post to this group, send email to django-developers@googlegroups.com > <mailto:django-developers@googlegroups.com>. > Visit this group at https://groups.google.com/group/django-developers > <https://groups.google.com/group/django-developers>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/CAL13Cg_%2BKMi2naSExPR0MVvBb0JnY%3DFV7A6goDHeaTWRoSpaJQ%40mail.gmail.com > > <https://groups.google.com/d/msgid/django-developers/CAL13Cg_%2BKMi2naSExPR0MVvBb0JnY%3DFV7A6goDHeaTWRoSpaJQ%40mail.gmail.com?utm_medium=email&utm_source=footer>. > For more options, visit https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. > > > -- > Adam > > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-developers+unsubscr...@googlegroups.com > <mailto:django-developers+unsubscr...@googlegroups.com>. > To post to this group, send email to django-developers@googlegroups.com > <mailto:django-developers@googlegroups.com>. > Visit this group at https://groups.google.com/group/django-developers > <https://groups.google.com/group/django-developers>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/CAMyDDM3PLGC%2B_y6SUsA_yOAuZqzfRZiyqOVbpsq%3DNbex%2B-eNjg%40mail.gmail.com > > <https://groups.google.com/d/msgid/django-developers/CAMyDDM3PLGC%2B_y6SUsA_yOAuZqzfRZiyqOVbpsq%3DNbex%2B-eNjg%40mail.gmail.com?utm_medium=email&utm_source=footer>. > For more options, visit https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. -- This message contains confidential information and is intended only for the individual named. If you are not the name addressee you should not disseminate, distribute or copy this e-mail. You cannot use or forward any attachments in the email. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. Analytics Vidhya Educon Private Limited, DLF Phase 2, Gurgaon, India, www.analyticsvidhya.com <http://www.analyticsvidhya.com> -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/BE54F808-BBBF-40DB-A7B0-AD966E1C58E3%40analyticsvidhya.com. For more options, visit https://groups.google.com/d/optout.
