django-passwords icon indicating copy to clipboard operation
django-passwords copied to clipboard

Published 20 hours ago verified publisher icon dstufft

Conditional validators

Open shacker opened this issue 10 years ago • 7 comments

We have this crazy idea that, since length is ultimately more important than randomness, it should be possible to let a user skip some of the rules if they choose a nice long passphrase. For example (simplified):

if len(password) < 24:
  # upper, lower, digit, punctuation required
else:
  # no validation required

I've got django-passwords working fine, but haven't been able to come up with a way to call the set of validators anywhere but in the in the field constructor, which is too early. Have tried various experiments in the clean() method and in clean_password() but no luck. Is this possible? Suggestions? Thanks.

shacker avatar Jun 09 '15 00:06 shacker

The right way would be to write a CompositeValidator which has as members the existing validators but calls them only when the length of the password is shorter than some (configurable) threshold.

Pseudocode:

class CompositeValidator(object):
    length_validator = LengthValidator(PASSWORD_MIN_LENGTH, PASSWORD_MAX_LENGTH)
    complexity_validator = ComplexityValidator(PASSWORD_COMPLEXITY)
    ... further validators

    def __call__(self, value):
        try:
            self.length_validator(value)
            return
        except ValidationError:
            self.complexity_validator(value)
            self.other_validator(value)
            .... further validators

maccesch avatar Jun 10 '15 07:06 maccesch

Thanks very much @maccesch . Looks like I'm going to take a different approach to this, but I really appreciate your taking the time out to suggest a solution.

Cheers!

shacker avatar Jun 11 '15 06:06 shacker

What approach are you taking? Maybe I can learn something... ;)

maccesch avatar Jun 11 '15 09:06 maccesch

Password length is so important - even more important than randomness. We wanted to let users choose a strong password no matter how they got there. Could be readable and full of dictionary words as long as it's long. Or a user might prefer a short, random looking password. Or a combination. We don't care how they get there, as long as its strong. We also wanted to provide visual feedback in the form in real time rather than having to submit / refresh each time.

I came across this article on a JS package called zxcvbn which sounded fantastic. But I still wanted back-end validation. Then I found a python port of the same package:

https://github.com/dropbox/python-zxcvbn

So, what I'm working on is this:

  • Choose a minimum entropy level that will apply everywhere - stored in settings
  • Write a simple minimal clean() method for field validation without javascript
  • Write a simple JSON endpoint that returns "valid":true/false and a dictionary of returned entropy factors
  • Do the rest in JS on the page, consuming that API on most keypresses (using jquery debounce to throttle it a bit)

The result took a bit of fiddling and is a bit "fuzzy" but it's working great! I might publish it.

shacker avatar Jun 11 '15 14:06 shacker

Sounds great! Please do publish it.

maccesch avatar Jun 11 '15 22:06 maccesch

Hi @maccesch - I've written up a blog post detailing the approach I took here:

http://birdhouse.org/blog/2015/06/16/sane-password-strength-validation-for-django-with-zxcvbn/

Hope someone finds it useful!

shacker avatar Jun 16 '15 15:06 shacker

Nice, thanks! Im reopening this issue to maybe be implemented in the future

maccesch avatar Jun 22 '15 12:06 maccesch