#36179: hexed strings in common passwords database are not handled
-------------------------------------+-------------------------------------
     Reporter:  Michel Le Bihan      |                     Type:  Bug
       Status:  new                  |                Component:
                                     |  contrib.auth
      Version:  5.1                  |                 Severity:  Normal
     Keywords:                       |             Triage Stage:
  CommonPasswordValidator            |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
 Hello,

 The common passwords database file
 (https://github.com/django/django/blob/main/django/contrib/auth/common-
 passwords.txt.gz) used by CommonPasswordValidator contains hexed strings
 like `$hex[617364666a6b6c3a]` on line 1679. That decodes to `asdfjkl:`
 which I believe is a common password that was intended to be included in
 the database. Another example is `$hex[2623323333363a]` on line 8616 that
 decodes to `&#2336:`. I see that
 https://gist.github.com/roycewilliams/226886fd01572964e1431ac8afc999ce
 contains the line `
 50334:72aff1cfd90a90fd4174eb6dfdff5df7bbbe7e5b:$HEX[617364666a6b6c3a]` and
 `echo -n 'asdfjkl:' | sha1sum` produces
 `72aff1cfd90a90fd4174eb6dfdff5df7bbbe7e5b`. CommonPasswordValidator does
 not handle those hexed strings which I believe is wrong.

 I propose to update the database file to decode the hexed values and
 remove those that obviously can't be entered by a user.
-- 
Ticket URL: <https://code.djangoproject.com/ticket/36179>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/01070194ead0f7bf-e6747acb-e2aa-4db6-9936-6c7f30d97ef6-000000%40eu-central-1.amazonses.com.

Reply via email to