diff --git a/django/contrib/auth/common-passwords.txt.gz b/django/contrib/auth/common-passwords.txt.gz index bc94fdec38..c23afebf30 100644 Binary files a/django/contrib/auth/common-passwords.txt.gz and b/django/contrib/auth/common-passwords.txt.gz differ diff --git a/django/contrib/auth/password_validation.py b/django/contrib/auth/password_validation.py index d24e69e0ce..8032c72155 100644 --- a/django/contrib/auth/password_validation.py +++ b/django/contrib/auth/password_validation.py @@ -222,7 +222,7 @@ class CommonPasswordValidator: The password is rejected if it occurs in a provided list of passwords, which may be gzipped. The list Django ships with contains 20000 common - passwords (lowercased and deduplicated), created by Royce Williams: + passwords (unhexed, lowercased and deduplicated), created by Royce Williams: https://gist.github.com/roycewilliams/226886fd01572964e1431ac8afc999ce The password list must be lowercased to match the comparison in validate(). """ diff --git a/tests/auth_tests/test_validators.py b/tests/auth_tests/test_validators.py index d7e4968951..d6ee44511d 100644 --- a/tests/auth_tests/test_validators.py +++ b/tests/auth_tests/test_validators.py @@ -273,6 +273,15 @@ class CommonPasswordValidatorTest(SimpleTestCase): CommonPasswordValidator().validate("godzilla") self.assertEqual(cm.exception.messages, [expected_error]) + def test_common_hexed_codes(self): + expected_error = "This password is too common." + common_hexed_passwords = ["asdfjkl:", "ठ:"] + for password in common_hexed_passwords: + with self.subTest(password=password): + with self.assertRaises(ValidationError) as cm: + CommonPasswordValidator().validate(password) + self.assertEqual(cm.exception.messages, [expected_error]) + def test_validate_custom_list(self): path = os.path.join( os.path.dirname(os.path.realpath(__file__)), "common-passwords-custom.txt"