Merge pull request #950 from alphagov/8-char-password

Reduce minimum password length to 8 characters

app/main/forms.py

@@ -72,8 +72,8 @@ def mobile_number():
 def password(label='Password'):
     return PasswordField(label,
                          validators=[DataRequired(message='Can’t be empty'),
-                                     Length(10, 255, message='Must be at least 10 characters'),
-                                     Blacklist(message='That password is blacklisted, too common')])
+                                     Length(8, 255, message='Must be at least 8 characters'),
+                                     Blacklist(message='Choose a password that’s harder to guess')])
 
 
 def sms_code():

app/main/validators.py

@@ -2,6 +2,7 @@ import re
 from wtforms import ValidationError
 from notifications_utils.template import Template
 from app.utils import Spreadsheet
+from ._blacklisted_passwords import blacklisted_passwords
 
 
 class Blacklist(object):
@@ -11,7 +12,7 @@ class Blacklist(object):
         self.message = message
 
     def __call__(self, form, field):
-        if field.data in ['password1234', 'passw0rd1234']:
+        if field.data in blacklisted_passwords:
             raise ValidationError(self.message)
 
 

tests/app/main/test_validators.py

@@ -5,16 +5,19 @@ from wtforms import ValidationError
 from unittest.mock import Mock
 
 
-def test_should_raise_validation_error_for_password(app_, mock_get_user_by_email):
+@pytest.mark.parametrize('password', [
+    'govuknotify', '11111111', 'kittykat', 'evangeli'
+])
+def test_should_raise_validation_error_for_password(app_, mock_get_user_by_email, password):
     with app_.test_request_context():
         form = RegisterUserForm()
         form.name.data = 'test'
         form.email_address.data = 'teset@example.gov.uk'
         form.mobile_number.data = '441231231231'
-        form.password.data = 'password1234'
+        form.password.data = password
 
         form.validate()
-        assert 'That password is blacklisted, too common' in form.errors['password']
+        assert 'Choose a password that’s harder to guess' in form.errors['password']
 
 
 def test_valid_email_not_in_valid_domains(app_):
@@ -30,7 +33,7 @@ def test_valid_email_in_valid_domains(app_):
             name="test",
             email_address="test@my.gov.uk",
             mobile_number='4407888999111',
-            password='1234567890')
+            password='an uncommon password')
         form.validate()
         assert form.errors == {}
 

tests/app/main/views/test_register.py

@@ -117,10 +117,10 @@ def test_should_return_200_if_password_is_blacklisted(app_,
                                            data={'name': 'Bad Mobile',
                                                  'email_address': 'bad_mobile@example.not.right',
                                                  'mobile_number': '+44123412345',
-                                                 'password': 'password1234'})
+                                                 'password': 'password'})
 
     response.status_code == 200
-    assert 'That password is blacklisted, too common' in response.get_data(as_text=True)
+    assert 'Choose a password that’s harder to guess' in response.get_data(as_text=True)
 
 
 def test_register_with_existing_email_sends_emails(app_,

tests/app/main/views/test_user_profile.py

@@ -284,8 +284,8 @@ def test_should_redirect_after_password_change(app_,
         with app_.test_client() as client:
             client.login(api_user_active)
         data = {
-            'new_password': '1234567890',
-            'old_password': '4567676328'}
+            'new_password': 'the new password',
+            'old_password': 'the old password'}
         response = client.post(
             url_for('main.user_profile_password'),
             data=data)