Allow a user to change their own password
Closed this issue · 4 comments
Provide a way for any active user to change their password.
Passwords must meet certain minimum requirements:
- Must be at least 8 characters in length
- Must have at least one alphanumeric character.
- If length is less than 12 characters, must have:
- A upper case character
- A lower case character
- A number
- Cannot contain any form of these words:
- WARM, password, 1234, the current month in letters or numbers
The screen must require both the valid old password and require the new password be typed in twice.
The screen should provide help about what a minimum password requires, except that it should only say that certain words are forbidden.
Access to this screen should require that the user login first.
-
Perhaps use a library (like password-checker) to prevent short and easy to guess passwords and password permutations (e.g. changing the suffix to the next month name or number)
-
If easy to do, provide a password expiration after some number of days (set in Constraints) but do not implement it for now.
There's some built-in views to do this https://docs.djangoproject.com/en/3.1/topics/auth/default/#module-django.contrib.auth.views
I'm confused by "Must have at least one alphanumeric character." Is this the same as saying a password can't consist entirely of punctuation and other non-digit, non-letter characters? i.e. " **&))${}:"
I'm looking at sub-classing the built-in PasswordChangeForm. Django's PasswordChangeForm checks for commonly used passwords.
This issue was resolved with PR #290 so it can be closed.