diff --git a/django/contrib/auth/common-passwords.txt.gz b/django/contrib/auth/common-passwords.txt.gz index e758dbe9a7..bc94fdec38 100644 Binary files a/django/contrib/auth/common-passwords.txt.gz and b/django/contrib/auth/common-passwords.txt.gz differ diff --git a/django/contrib/auth/password_validation.py b/django/contrib/auth/password_validation.py index 3f8f888ddc..a5002372d2 100644 --- a/django/contrib/auth/password_validation.py +++ b/django/contrib/auth/password_validation.py @@ -221,7 +221,7 @@ class CommonPasswordValidator: The password is rejected if it occurs in a provided list of passwords, which may be gzipped. The list Django ships with contains 20000 common passwords (lowercased and deduplicated), created by Royce Williams: - https://gist.github.com/roycewilliams/281ce539915a947a23db17137d91aeb7 + https://gist.github.com/roycewilliams/226886fd01572964e1431ac8afc999ce The password list must be lowercased to match the comparison in validate(). """ diff --git a/docs/releases/4.2.txt b/docs/releases/4.2.txt index 6cfd0865f6..718f09b9dc 100644 --- a/docs/releases/4.2.txt +++ b/docs/releases/4.2.txt @@ -274,7 +274,8 @@ Utilities Validators ~~~~~~~~~~ -* ... +* The list of common passwords used by ``CommonPasswordValidator`` is updated + to the most recent version. .. _backwards-incompatible-4.2: diff --git a/docs/topics/auth/passwords.txt b/docs/topics/auth/passwords.txt index cd6fdea811..7f92685775 100644 --- a/docs/topics/auth/passwords.txt +++ b/docs/topics/auth/passwords.txt @@ -615,12 +615,17 @@ Django includes four validators: Validates that the password is not a common password. This converts the password to lowercase (to do a case-insensitive comparison) and checks it against a list of 20,000 common password created by `Royce Williams - `_. + `_. The ``password_list_path`` can be set to the path of a custom file of common passwords. This file should contain one lowercase password per line and may be plain text or gzipped. + .. versionchanged:: 4.2 + + The list of 20,000 common passwords was updated to the most recent + version. + .. class:: NumericPasswordValidator() Validate that the password is not entirely numeric.