#36179: hexed strings in common passwords database are not handled
-------------------------------------+-------------------------------------
Reporter: Michel Le Bihan | Type: Bug
Status: new | Component:
| contrib.auth
Version: 5.1 | Severity: Normal
Keywords: | Triage Stage:
CommonPasswordValidator | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Hello,
The common passwords database file
(https://github.com/django/django/blob/main/django/contrib/auth/common-
passwords.txt.gz) used by CommonPasswordValidator contains hexed strings
like `$hex[617364666a6b6c3a]` on line 1679. That decodes to `asdfjkl:`
which I believe is a common password that was intended to be included in
the database. Another example is `$hex[2623323333363a]` on line 8616 that
decodes to `ठ:`. I see that
https://gist.github.com/roycewilliams/226886fd01572964e1431ac8afc999ce
contains the line `
50334:72aff1cfd90a90fd4174eb6dfdff5df7bbbe7e5b:$HEX[617364666a6b6c3a]` and
`echo -n 'asdfjkl:' | sha1sum` produces
`72aff1cfd90a90fd4174eb6dfdff5df7bbbe7e5b`. CommonPasswordValidator does
not handle those hexed strings which I believe is wrong.
I propose to update the database file to decode the hexed values and
remove those that obviously can't be entered by a user.
--
Ticket URL: <https://code.djangoproject.com/ticket/36179>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/01070194ead0f7bf-e6747acb-e2aa-4db6-9936-6c7f30d97ef6-000000%40eu-central-1.amazonses.com.
