In the Django tutorial, I'm at the part that says "You'll see a message for each database table it creates, and you'll get a prompt asking you if you'd like to create a superuser account for the authentication system. Go ahead and do that." I'm using Django 1.2.3.
In case it's relevant, I'm using SQLite, and in the settings file under mysite, I didn't set a password because you're supposed to leave it blank for SQLite. But right now I'm setting up the superuser account in the command line and it's demanding that I set a password. And it won't let me type.
So I leave it blank, and hit enter (which does work), and it asks me to confirm my password. I hit enter again. And it tells me, "Error: Your passwords didn't match."
Is there a reason it won't let me enter any text? Is there a way to get around this? This is just a development server, so I'm OK if the solution involves not setting a password at all, but it's not letting me do that either.
OK, so I know I have to enter something non-empty. The problem is, the command line is literally not letting me type there. I hit keys and the little blinking underscore doesn't move. All it will allow me to do is hit enter while it's still blank, but then the empty passwords don't match. I want to know why it's not letting me type.
You are not suppose to see the password you are typing. Just type your password, repeat exactly same password when prompted and you should be ok.
The Django superuser password is independent of the password used to authenticate with the database server. The reason it won't let you set a non-blank password is because it's a security risk; Django doesn't care that your app will never see public use.
The password for the authentication module is separate from your database. You'll have to set a non-blank password for the superuser.
Related
How do I insert text, with what combinations?
SSH-in-browser Google?
When updating your password over SSH, no characters are displayed by default while typing the password, unless you don't have one, in which case it will prompt an error. Follow the standard/best practice for creating a secure password when it comes to the combination.
Im using Django Allauth and have a number of questions.
(a) When a user registers they are instantly logged in and a confirmation email is sent to their inbox. I am wondering if this is best practice? Should the user instead be signed out after registration and only allowed to sign in using the link in their email?
I am also wondering about password change. The password change functionality that comes with Allauth simply asks the user to enter their old password then enter a new one twice. My two questions for this are (b) is this good practice or should I make my users request a new password via email, and (c) should I force logout my users after a password change and make them login using their new credentials?
(d) And lastly, if a user has forgotten their password they can request a new one sent to them via email. I could imagine this could easily be abused as you do not need to be signed in to do this (a person or bot continually enter a users email address sending them thousands of password reset links). Is there a way to add a limit on a persons email address so the one user can only be sent maybe 2 password reset links per day?
I would appreciate answers to any of these questions and greatly appreciate any elaboration on how to do any of this as I am new to Django and really dont know where to begin if I am to make these changes.
Thank you very much.
It all depends on what you want to do, if your site is gonna manage a lot privacy data, then the story would be completely different. Assuming that it is true.
A) Best practice would be to be able to log in right away but they have restriction until they confirm the email.
B)Always request password change via Email using generated url.
C)You should not keep the user logged in with the old password, either log it out or automatic re login.
D)This is probably the most important here. There is a lot of way to prevent such abuse, tho they are not 100% effective but it is very effective, here is the thing: 1) if your way to recover password is by email, you can KEEP THE EMAIL PRIVATE, no one can see it, and what do you think the odds are to type a random email and matches the one on your database ? 2) Use popular antibots like Google's Recaptcha. 3) Set a limit of attempts on a limited range of time.
I'm trying to reset the CFAdmin password on a CF11 Enterprise server that has multiple CF instances running on the same server. The admin password on one of the instances is unknown, so we're trying to recover/change to a known password.
I've tried using the passwordreset.bat provided by Adobe, but after restarting the instance with lost admin password, that didn't work.
I also tried disabling the password all together to access the admin console per adobe. This gets me into the admin console temporarily, but I'm not able to actually change the password since I don't know the old password. Leaving the old PW blank, fails too. This is not a viable long-term option, we must have a password.
I even tried editing the password.properties file to type a password and set encryption=false, but that didn't work either.
I think I've exhausted all the standard ways to reset the password to no avail. Is there something else that I should do because it's a multi-instance setup? Is there some way to point it to the specific instance I want to change?
Is there a way to use django's inbuilt password reset function without sending reset links via email or without the email option. I am currently developing a simple system with a few number of users on which sending emails are not needed.Thanks in advance
There are some options in django.contrib.auth that allows you to change the password without needing to send an email:
PasswordChangeForm: A form that lets a user change their password by entering their old password.
SetPasswordForm: A form that lets a user change set their password without entering the old password
You can implement one of them in your view to change the users password.
You can change password with forms and in the views.py use the function
make_password()
if passwordForm.is_valid():
password = passwordForm.cleaned_data['password']
request.user.password = make_password(password)
request.user.save()
[make_password][1]https://docs.djangoproject.com/en/1.11/topics/auth/passwords/
I'm not familiar with django but I've worked on other apps before where access was gained for any user, even the initial admin, via password reset. In all those cases the method of working has been similar - the reset link is formed from some URL stub plus a unique key that is found in some database table somewhere. Manually assembling the link and using it worked out just fine, though one system used an emailsentdate column and refused to do anything unless it was populated , so check for anything similar if you don't get success with a simple approach
If you absolutely have to have an email server, there do exist simple ones intended for dev use like smtpdev, they behave like an smtp server to fool an app that demands one, but they don't send the emails onto anywhere, they just display them. Intended for debugging but might help you if django insists on one being configured that looks like a real mail server
Is it possible to log the wrong passwords entered in the Change User login form?
(So actually one or more users are logged in, and the change user form is shown by pressing Win+L, or by using the Start Menu.)
No it is not possible since password attempts aren't stored neither hashed nor in plain text.