Django 4.0 has removed following methods:

• django.utils.translation.ugettext(), ugettext_lazy(), ugettext_noop(), ungettext(), ungettext_lazy()
  These methods have aliases:
• django.utils.translation.gettext(), gettext_lazy(), gettext_noop(), ngettext(), and ngettext_lazy()

Please fix references on the obsolete methods in the following modules:

• ./passwords/fields.py
• ./passwords/validators.py

It looks like two strings are being used interchangably, but with different meaning and format specification:

https://github.com/dstufft/django-passwords/blob/master/passwords/locale/es/LC_MESSAGES/django.po#L65-L67

#: validators.py:106
#, fuzzy, python-format
#| msgid "Must contain %(WORDS)s or more unique words"
msgid "%(LETTERS)s or more unique letters"
msgstr "Debe tener %(WORDS)s o más palabras únicas"

normally this doesn't get translated at all by gettext, but with fuzzy translation enabled, the mismatch between LETTERS in msgid and WORDS in msgstr can't be reconciled.

There's a similar problem with SPECIAL and NON-ASCII later in the file.

$ python manage.py compilemessages --locale=es
...
processing file django.po in ...venv/lib/python2.7/site-packages/passwords/locale/es/LC_MESSAGES
CommandError: Execution of msgfmt failed: ...venv/lib/python2.7/site-packages/passwords/locale/es/LC_MESSAGES/django.po:67: a format specification for argument 'LETTERS' doesn't exist in 'msgstr'
...venv/lib/python2.7/site-packages/passwords/locale/es/LC_MESSAGES/django.po:85: a format specification for argument 'NON ASCII', as in 'msgstr', doesn't exist in 'msgid'

Looking at validators.py, it seems safe to remove the fuzzy match and get new translation strings, but that involves getting new translation strings, which is beyond my capabilities to propose.

If I understand correctly, no fuzzy translation is currently working though.

My first time using the dictionary feature of this library was to use the /usr/share/dict/words dictionary as outlined in the documentation. On my system, this file contains just shy of 0.5M words.

However, if one does this, the validation step takes several minutes as the file is loaded, parsed then searched for the word. This happens for every form submittal. This renders this feature unusable. I don't have time to fix this right now, but one way to handle this is to use a preprocessing step that will convert the dictionary to a searchable form. This can easily be integrated into one's deploy procedure, so that the dictionary is sourced from a plain text file whenever the code is deployed. Optionally, a management command could be added that would perform this pre-processing.

An example of this type of operation can be taken from postfix (the MTA). It uses the postmap command to convert text lists into searchable databases so that the MTA can do a huge number of lookups very quickly.

http://www.postfix.org/postmap.1.html

A further optimization would be to trim words from the dictionary that are shorter than the configured minimal length. Potential passwords shorter than this length are rejected outright so the existence of these words in the dictionary bloats it unnecessarily.

Hi,
When i install django-passwords using - pip install django-passwords. The version that gets installed is 0.2.0. Is it possible to upload the version on master - which is 0.3.2 to pip ?

Hi,
How can I customize the error messages? for example "Based on a dictionary word. "

We have this crazy idea that, since length is ultimately more important than randomness, it should be possible to let a user skip some of the rules if they choose a nice long passphrase. For example (simplified):

if len(password) < 24:
  # upper, lower, digit, punctuation required
else:
  # no validation required

I've got django-passwords working fine, but haven't been able to come up with a way to call the set of validators anywhere but in the in the field constructor, which is too early. Have tried various experiments in the clean() method and in clean_password() but no luck. Is this possible? Suggestions? Thanks.

There is a problem with the django-passwords package hosted on pypi : pypi lists django-passwords 0.3.2 as being the most recent release, but in fact it is not possible to pip install it.

$ pip install django-passwords==0.3.2
Collecting django-passwords==0.3.2
  Could not find a version that satisfies the requirement django-passwords==0.3.2 (from versions: 0.2.0)
No matching distribution found for django-passwords==0.3.2

is this package compatible with django 3?
Also in the future how can I know this without having to ask?
thank you!

Hi,

Translations in the validators.py were changed but not in the .po files.... so translation for the validation messages is broken.

Hi,

I have managed to make django-passwords for default django admin users, but only when they try to change their password. I don't seem to find a way to make this work when creating a user .

Here is my code:

forms.py

from django.contrib.auth.forms import SetPasswordForm,PasswordChangeForm
from django.utils.translation import ugettext_lazy as _
from passwords.fields import PasswordField

class ValidatingSetPasswordForm(SetPasswordForm):
    new_password2 = PasswordField(label=_("New password confirmation"))

class ValidatingPasswordChangeForm(PasswordChangeForm):
    new_password2 = PasswordField(label=_("New password confirmation"))

As you can see I have been able to override the field new_password2 setting it up as a PasswordField

Then I force those urls to go through my forms, see below:
urls.py

urlpatterns = patterns('',
    url(r'^admin/password_change/$', 'django.contrib.auth.views.password_change',{'password_change_form': ValidatingPasswordChangeForm}),
    url(r'^admin/password_changed/$', 'django.contrib.auth.views.password_change_done'),
    url(r'^admin/password_reset/$', 'django.contrib.auth.views.password_reset'),
    url(r'^admin/password_reset_done/$', 'django.contrib.auth.views.password_reset_done'),
    url(r'^admin/password_reset_complete/$', 'django.contrib.auth.views.password_reset_complete'),
    url(r'^admin/password_reset_confirm/(?P<uidb36>[-\w]+)/(?P<token>[-\w]+)/$','django.contrib.auth.views.password_reset_confirm',{'set_password_form': ValidatingSetPasswordForm}),

    url(r'^admin/', include(admin.site.urls)),
)

What am I missing?

Any help would be highly appreciated.

for anyone looking for a version of this that runs on Django 4.0+ I have a fork over at https://github.com/brhelwig/django-strong-passwords which is published on pypi as well.

Based on https://xkcd.com/936/, it should be good to have entropy as a measure.
More info: http://en.wikipedia.org/wiki/Password_strength#Entropy_as_a_measure_of_password_strength

I've been able to successfully subclass Django's UserCreationForm and PasswordChangeForm to use PasswordField instead of the regular PasswordInput widget, but I'm having issues with AdminPasswordChangeForm and I'm not sure why.

I don't have a very complex configuration, I've just defined a PASSWORD_MIN_LENGTH and PASSWORD_COMPLEXITY.

Firstly, I wanted to only override password1, since password2 has to match that anyway (that's also how I've done it with the other two forms). But if I do that with AdminPasswordChangeForm, only the first input field appears on the form; the second is simply missing.

Secondly, if I define both password1 and password2 as PasswordFields (or password1 as a PasswordField and password2 as a regular PasswordInput, exactly as it is defined in AdminPasswordChangeForm), I only see the correct error message if the password is not complex enough. Otherwise, I get the "Please correct the errors below message" at the top of the form, but no error message on either of the inputs. This is the case whether I enter the same, complex password in both inputs, or if I enter mismatched, complex passwords.

Any ideas for what's going wrong here?

Hello
Thanks for setting up Travis. Would you please change my email from https://github.com/dstufft/django-passwords/blob/master/.travis.yml#L56 to yours? I forgot to mention it in PR.

Thanks

Hello everybody!

I use python 3.4 and django 1.7. Library version is 0.3.1, installed from repository: git+git://github.com/dstufft/[email protected]

This version raises ImportError: during

from passwords.fields import PasswordField
...
from passwords.validators import validate_length, common_sequences, dictionary_words, complexity
...
from django.utils.encoding import smart_unicode
ImportError: cannot import name 'smart_unicode'

Thats because smart_unicode is supported only for python2: https://docs.djangoproject.com/en/1.7/ref/utils/#django.utils.encoding.smart_unicode

When I configure complexity to require at least one special character and enter some of #$@^ it does not recognize them as special and still give me a ValidationError.

When I see which are punctuation characters in Python I see list of not only punctuation but also special characters.

>>> import string
>>> string.punctuation
'!"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~'

I think that from the user perspective all of this are special characters. For punctuation most people thing of only .,!?:;, also in all form validation that I've seen they consider special character everything which is not a letter or number.

What you think about combining them together?

Hey All,

I'm using the dictionary validator as a common password blacklist and it works a treat. The only issue I have is that the error message which gets propagated to the user is based on a dictionary word, which for a password like 1234qwer reads a bit counter intuitively.

Is is possible to override the error message when simply importing the dictionary validator or do I need to do more?

I recently found a bit of code which had been copied with only slight modifications to use ComplexityValidator in AUTH_PASSWORD_VALIDATORS. Would it be worth tossing together a pull request which adds a compatibility shim for that, similar to the code below?

https://github.com/LibraryOfCongress/concordia/blob/2b8605e388323770fde79975b140bb7c4776c6cb/concordia/validators.py

In validators.py file, there is a typo for common sequences based on "qwerty" keyboards.

COMMON_SEQUENCES = [
"0123456789",
"`1234567890-=",
"~!@#$%^&*()_+",
"abcdefghijklmnopqrstuvwxyz",
"quertyuiop[]\asdfghjkl;'zxcvbnm,./",
'quertyuiop{}|asdfghjkl;"zxcvbnm<>?',
"quertyuiopasdfghjklzxcvbnm",
"1qaz2wsx3edc4rfv5tgb6yhn7ujm8ik,9ol.0p;/-['=]",
"qazwsxedcrfvtgbyhnujmikolp"
]

should be like this

COMMON_SEQUENCES = [
(...)
"qwertyuiop[]\asdfghjkl;'zxcvbnm,./",
'qwertyuiop{}|asdfghjkl;"zxcvbnm<>?',
"qwertyuiopasdfghjklzxcvbnm",
(...)
]

Can we get a new release? The last release is going on 4 years old.

The documentation on github does not match the documentation for the latest package 0.3.4 (specifically regarding the consolidation of PUNCTUATION and SPECIAL), which can lead to some surprising errors :) I couldn't figure out why the validator wasn't validating my "special" character. Perhaps could have a warning telling users to refer to documentation on pypi, if they install with pip.

It would be great to bundle a validator which prevents the password containing the users username/email address.

It looks like django-passwords doesn't work with django 1.1. Does it require 1.2 or 1.3?