Conditional validators

[shacker]

We have this crazy idea that, since length is ultimately more important than randomness, it should be possible to let a user skip some of the rules if they choose a nice long passphrase. For example (simplified):

if len(password) < 24:
  # upper, lower, digit, punctuation required
else:
  # no validation required

I've got django-passwords working fine, but haven't been able to come up with a way to call the set of validators anywhere but in the in the field constructor, which is too early. Have tried various experiments in the clean() method and in clean_password() but no luck. Is this possible? Suggestions? Thanks.

[maccesch]

The right way would be to write a CompositeValidator which has as members the existing validators but calls them only when the length of the password is shorter than some (configurable) threshold.

Pseudocode:

class CompositeValidator(object):
    length_validator = LengthValidator(PASSWORD_MIN_LENGTH, PASSWORD_MAX_LENGTH)
    complexity_validator = ComplexityValidator(PASSWORD_COMPLEXITY)
    ... further validators

    def __call__(self, value):
        try:
            self.length_validator(value)
            return
        except ValidationError:
            self.complexity_validator(value)
            self.other_validator(value)
            .... further validators

[shacker]

Thanks very much @maccesch . Looks like I'm going to take a different approach to this, but I really appreciate your taking the time out to suggest a solution.

Cheers!

[maccesch]

What approach are you taking? Maybe I can learn something... ;)

[shacker]

Password length is so important - even more important than randomness. We wanted to let users choose a strong password no matter how they got there. Could be readable and full of dictionary words as long as it's long. Or a user might prefer a short, random looking password. Or a combination. We don't care how they get there, as long as its strong. We also wanted to provide visual feedback in the form in real time rather than having to submit / refresh each time.

I came across this article on a JS package called zxcvbn which sounded fantastic. But I still wanted back-end validation. Then I found a python port of the same package:

https://github.com/dropbox/python-zxcvbn

So, what I'm working on is this:

• Choose a minimum entropy level that will apply everywhere - stored in settings
• Write a simple minimal clean() method for field validation without javascript
• Write a simple JSON endpoint that returns "valid":true/false and a dictionary of returned entropy factors
• Do the rest in JS on the page, consuming that API on most keypresses (using jquery debounce to throttle it a bit)

The result took a bit of fiddling and is a bit "fuzzy" but it's working great! I might publish it.

[maccesch]

Sounds great! Please do publish it.

[shacker]

Hi @maccesch - I've written up a blog post detailing the approach I took here:

http://birdhouse.org/blog/2015/06/16/sane-password-strength-validation-for-django-with-zxcvbn/

Hope someone finds it useful!

[maccesch]

Nice, thanks! Im reopening this issue to maybe be implemented in the future