[Django]-Enforcing password strength requirements with django.contrib.auth.views.password_change

Django 1.9 offers a built-in password validation to help prevent the usage of weak passwords by users. It’s enabled by modifing the AUTH_PASSWORD_VALIDATORS setting in our project. By default Django comes with following validators:

• UserAttributeSimilarityValidator, which checks the similarity between
  the password and a set of attributes of the user.
• MinimumLengthValidator, which simply checks whether the password
  meets a minimum length. This validator is configured with a custom
  option: it now requires the minimum length to be nine characters,
  instead of the default eight.
• CommonPasswordValidator, which checks
  whether the password occurs in a list of common passwords. By
  default, it compares to an included list of 1000 common passwords.
• NumericPasswordValidator, which checks whether the password isn’t
  entirely numeric.

This example enables all four included validators:

AUTH_PASSWORD_VALIDATORS = [
    {
        'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
        'OPTIONS': {
            'min_length': 9,
        }
    },
    {
        'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
    },
]

As some eluded to with the custom validators, here’s the approach I would take…

Create a validator:

from django.core.exceptions import ValidationError
from django.utils.translation import ugettext as _

def validate_password_strength(value):
    """Validates that a password is as least 7 characters long and has at least
    1 digit and 1 letter.
    """
    min_length = 7

    if len(value) < min_length:
        raise ValidationError(_('Password must be at least {0} characters '
                                'long.').format(min_length))

    # check for digit
    if not any(char.isdigit() for char in value):
        raise ValidationError(_('Password must contain at least 1 digit.'))

    # check for letter
    if not any(char.isalpha() for char in value):
        raise ValidationError(_('Password must contain at least 1 letter.'))

Then add the validator to the form field you’re looking to validate:

from django.contrib.auth.forms import SetPasswordForm

class MySetPasswordForm(SetPasswordForm):

    def __init__(self, *args, **kwargs):
        super(MySetPasswordForm, self).__init__(*args, **kwargs)
        self.fields['new_password1'].validators.append(validate_password_strength)

I’d just install django-passwords and let that handle it for you: https://github.com/dstufft/django-passwords

After that you can simply subclass the registration form and replace the field with a PasswordField.

I think you should just write your own validator ( or use RegexValidator, see: http://docs.djangoproject.com/en/dev/ref/validators/ ) if you use forms or write some other script checking for regular expressions. This should be a simple task. Also I don’t think there is any builtin mechanism, simply because each person understands the concept of “strong password” a little bit different.