Python Django 防止密码重用

Question

我目前正试图阻止用户使用他们的旧密码（可配置，例如最后 5 个密码）

我有以下信息：

• 验证期间表单中的明文用户密码 (form.cleaned_data['new_password1'])
• 他们当前的哈希密码 (pwd_before_change)
• 他们最后的 x 密码也经过哈希处理 (pws)

有趣的是，我的代码适用于 当前 密码，但不适用于我的旧密码：

pwd_before_change = user_to_change.password
....
old_pws = Passwords.objects.filter(username=user_to_change).order_by('-password_changed')[:allowed_reuse].values_list('password', flat=True)
....
            if old_pws:
                for pws in old_pws:
                    if check_password(form.cleaned_data['new_password1'], pws) or \
                            check_password(form.cleaned_data['new_password1'], pwd_before_change)

                        messages.error(request,
                                       f'You are not allowed a password which was already used in the last '
                                       f'{allowed_reuse + 1} iterations')
                        return render(request, 'registration/password_change.html', {
                            'form': form
                        })

任何想法可能是什么问题？ （附加信息，我正在使用 Argon2）。 我真的需要在旧密码中使用所有可能的“盐”再次对明文密码进行编码并检查吗？ （这会使方法依赖于不理想的哈希函数 + 我认为检查密码函数完全适用于这样的场景？）

Answer 1

好的，不确定到底是什么问题，但我拆分了“if”，现在它可以工作了：

        logger_user.info("User {} is attempting a password change".format(username))
        if form.is_valid():

            # Get the allowed Password counter from the settings, reduce by 1 as the current password is also checked!
            allowed_reuse = settings.PASSWORD_REUSE - 1
            logger_user.info(f"Allowed PWs: {allowed_reuse +1 }")

            if check_password(form.cleaned_data['new_password1'], pwd_before_change):
                messages.error(request, f'You are not allowed to re-use your current password')
                return render(request, 'registration/password_change.html', {
                    'form': form
                })


            # Retrieve the last x passwords according to the Password Reuse Setting
            old_pws = Passwords.objects.filter(username=user_to_change).order_by('-password_changed')[:allowed_reuse].values_list('password', flat=True)

            # Compare the new Passwort with the old passwords
            if old_pws:
                for pw in old_pws:
                    if check_password(form.cleaned_data['new_password1'], pw):

                        messages.error(request,
                                       f'You are not allowed a password which was already used in the last '
                                       f'{allowed_reuse + 1} iterations')
                        return render(request, 'registration/password_change.html', {
                            'form': form
                        })