#36179: hexed strings in common passwords database are not handled
-------------------------------------+-------------------------------------
Reporter: Michel Le Bihan | Owner: (none)
Type: Bug | Status: new
Component: contrib.auth | Version: 5.1
Severity: Normal | Resolution:
Keywords: | Triage Stage:
CommonPasswordValidator | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Description changed by Michel Le Bihan:
Old description:
> Hello,
>
> The common passwords database file
> (https://github.com/django/django/blob/main/django/contrib/auth/common-
> passwords.txt.gz) used by CommonPasswordValidator contains hexed strings
> like `$hex[617364666a6b6c3a]` on line 1679. That decodes to `asdfjkl:`
> which I believe is a common password that was intended to be included in
> the database. Another example is `$hex[2623323333363a]` on line 8616 that
> decodes to `ठ:`. I see that
> https://gist.github.com/roycewilliams/226886fd01572964e1431ac8afc999ce
> contains the line `
> 50334:72aff1cfd90a90fd4174eb6dfdff5df7bbbe7e5b:$HEX[617364666a6b6c3a]`
> and `echo -n 'asdfjkl:' | sha1sum` produces
> `72aff1cfd90a90fd4174eb6dfdff5df7bbbe7e5b`. CommonPasswordValidator does
> not handle those hexed strings which I believe is wrong.
>
> I propose to update the database file to decode the hexed values and
> remove those that obviously can't be entered by a user.
New description:
Hello,
The common passwords database file
(https://github.com/django/django/blob/main/django/contrib/auth/common-
passwords.txt.gz) used by CommonPasswordValidator contains hexed strings
like `$hex[617364666a6b6c3a]` on line 1679. That decodes to `asdfjkl:`
which I believe is a common password that was intended to be included in
the database. Another example is `$hex[2623323333363a]` on line 8616 that
decodes to `ठ:`. I see that
https://gist.github.com/roycewilliams/226886fd01572964e1431ac8afc999ce
contains the line
`50334:72aff1cfd90a90fd4174eb6dfdff5df7bbbe7e5b:$HEX[617364666a6b6c3a]`
and `echo -n 'asdfjkl:' | sha1sum` produces
`72aff1cfd90a90fd4174eb6dfdff5df7bbbe7e5b`. CommonPasswordValidator does
not handle those hexed strings which I believe is wrong.
I propose to update the database file to decode the hexed values and
remove those that obviously can't be entered by a user.
--
--
Ticket URL: <https://code.djangoproject.com/ticket/36179#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/01070194ead19c50-7f0929c0-e71b-4f62-8619-472254de6ef3-000000%40eu-central-1.amazonses.com.
