How does Django validate passwords?
Achieving asynchronous behavior using asyncio in Python
#python
#django
August 30, 2020
12 mins read
python manage.py createsuperuser
1. The changepassword command
2. Fetching the correct database
3. Creating the superuser without interaction
4. Required fields and interactive mode
5. The validate password method
When I passed a password similar to the username it failed saying, 2. Fetching the correct database
3. Creating the superuser without interaction
4. Required fields and interactive mode
5. The validate password method
The password is too similar to the username.
manage.py
file itself which in turn was importing and executing a method called, execute_from_command_line
.
I traced it back and found a package commands
containing everything that I wanted to know. This directory had two files.
1. createsuperuser.py
2. changepassword.py
The changepassword command
Since I had never used/ heard about thechangepassword
command, I thought of trying it first and to my great pleasure, it worked. You have to pass the username as the first argument.
python manage.py changepassword username
createsuperuser
command class in more detail.
Fetching the correct database
If you have been using Django for some time, you would know that Django allows you to change a lot of things depending upon the settings you define. This also includes using some random model as your base User model. This is the first thing that the superuser creation__init__
constructor method checks for.
Creating the superuser without interaction
You can use a version of the command that allows you to create the superuser without any interaction.python manage.py createsuperuser --username ranvir --email abc@abc.com --no-input
changepassword
command or the admin panel.
Required fields and interactive mode
For the defaultUser
model, email
is the only required field but you can change that by changing your REQUIRED_FIELD
setting as well.
In the interactive mode( which is the default mode as well), the first thing that the prompt asks you to fill, is the username.
Django tries to smartly suggest the current system username as the default username. (Just Wow)
The validate password method
Sorry for keeping you waiting this long before jumping onto the real reason behind the post. Thevalidatepassword
is the function that is used to validate the password provided by the user.
Again, we can configure all these validators as well, if these different password validation doesn’t work for you, go forward and remove the classes from your settings file.
These are the default validators.
AUTH_PASSWORD_VALIDATORS = [
{
'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
},
{
'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
},
{
'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
},
{
'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
},
]
- Should not be similar to
username
,first_name
,last_name
andemail
. It also checks for the similarity using SequenceMatcher. It should be less than 0.7 similar which you can customize. (Told you, it’s AI) - Should be greater than 8 characters.
- Should not be in the list of common passwords. The list of common passwords is in the file,
common-passwords.txt.gz
. It contains a list of around 20000 common passwords which you should not use. - Should not contain all numeric characters.
About Author
Ranvir Singh
Greetings! Ranvir is an Engineering professional with 3+ years of experience in Software development.
Original Source: Original Post
Please share your Feedback:
Did you enjoy reading or think it can be improved? Don’t forget to leave your thoughts in the comments section below! If you liked this article, please share it with your friends, and read a few more!