Password security

How Weblate stores passwords

Weblate uses a Django implementation to store hashed passwords; see How Django stores passwords.

The recommended Weblate configuration uses Argon2 with time_cost = 2, memory_cost = 102400, and parallelism = 8.

Sugestie

The password hashing can be customized using PASSWORD_HASHERS.

Password validation

When a user is configuring a password, it is validated to reduce the risk of using weak passwords.

The recommended Weblate configuration verifies:

• The password has to be at least 10 characters long, and at most 72 characters long.

• Password similar to username and other attributes is rejected.

• A common or overly simple password is rejected.

• Any password user used recently is rejected.

• Password strength is optionally checked using the zxcvbn algorithm.

Sugestie

The password validation can be customized using AUTH_PASSWORD_VALIDATORS.

Social or third-party authentication

Weblate does not store any passwords or enforce any password policy when social or third-party authentication is configured. The passwords are, in such a case, fully managed externally.

Vezi și

Autentificare