Rather than enforce an arbitrary set of password construction rules, I prefer systems that gauge password strength as an overall entropy score, then let sites establish the minimum overall strength they require. How that strength is achieved is up to each user - uou can either go short and random, or long and memorable. Length trumps pretty much all other factors, especially if you disallow strings such as the user's own username, email, company name, etc.). Dropbox created a system like this called zxcvbn and open sourced it. It was then ported to python.
https://github.com/dropbox/zxcvbn https://github.com/dwolfhub/zxcvbn-python I use a "roll your own" solution on top of zxcvbn-python in some of my projects (in order to show dynamic strength meters in the UI as user types), but others have converted it to work as a Django password validator. https://github.com/Pierre-Sassoulas/django-zxcvbn-password-validator If Django were to bundle any additional validators, this or something like it would have my vote. ./s -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/de03b9dd-ef24-4ee6-a7fd-287e79304465%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
