[Mailman-Users] Can I enforce secure admin passwords?
Stephen J. Turnbull
stephen at xemacs.org
Wed Jun 3 07:14:31 CEST 2009
Mark Sapiro writes:
> Adding a hook to a user supplied password checker could be done in 2.2.
> I'll take a look at this idea. How about a default checker that just
> checks for minimum length defined in Defaults.py/mm_cfg.py, but
> overridable by the site. or maybe an mm_cfg.CheckPassword() function
> defined in Defaults.py as
>
> def CheckPassword(pwd):
> if len(pwd) > 0:
> return True
> else:
> return False
>
> Then the site can redefine this in mm_cfg.py to do anything they want.
It occurs to me that this API is going to make it hard to provide help
to users. Maybe CheckPassword's API should be to raise an
InvalidPasswordError with an appropriate reason, or alternatively to
return a false value if nothing is wrong with the password, otherwise
return a list of reasons it is invalid (ie, return 'reasons' in the
example below).
So I'd like to be able to do
import re
letter_re = re.compile("[a-zA-Z]")
digit_re = re.compile("[0-9]")
minimum_admin_password_length = 8
def MyCheckPassword(pwd):
# require passwords to contain letters and digits
reasons = []
if not re.search(letter_re,pwd):
reasons.append("your password did not contain a letter")
if not re.search(digit_re,pwd):
reasons.append("your password did not contain a digit")
if len(pwd) < minimum_admin_password_length:
reasons.append("your password was not at least %d characters long" % \
(minimum_admin_password_length,))
if reasons:
raise InvalidPasswordError(reasons)
CheckPassword = MyCheckPassword
> I think this should probably apply only to list and site passwords in
> MM 2.2.
Agreed.
More information about the Mailman-Users
mailing list