CODEWITHSUNDEEP
django
xpanta
xpanta

Reputation: 8418

Django. How to expire all user passwords?

I have a site with a few thousands registered users. In the unfortunate event when someone steals passwords from my database, I would like to have a plan A and a plan B. I guess plan B would be to change all user passwords (using a small python script and a random password generator) and email those new ones to the users. I can do that, easily.

Plan A (which sounds more appropriate, I am not sure how to do it) would be to force users to create new passwords by expiring the old ones, the first time they visit the page after the attack.

Does Django have a feature like this? How can it be done efficiently and fast?

Note: My User/UserProfile Models at the moment have not been designed with that situation in mind.

Upvotes: 1

Views: 1399

Answers (2)

Burhan Khalid
Burhan Khalid

Reputation: 174708

The first thing you should do is deactivate all users so they cannot login. One way to do that is with set_unusable_password(). This will invalidate all passwords; or you can set is_active to False. This will disable the user wholesale.

Next, you can have users reset their passwords. There are built-in helpers and forms for that as well.

Upvotes: 5

Aamir Rind
Aamir Rind

Reputation: 39699

In my opinion you should go for Plan B. Check Management Commands:

from django.core.management.base import NoArgsCommand
from django.contrib.auth.models import User

class Command(NoArgsCommand):
    help = _('Change password of all users.')
    def handle_noargs(self, **options):
        users = User.objects.all()
        for user in users:
            # generate random password
            random_pwd = 'some random password'
            user.set_password(random_pwd)
            user.save()
            # send email to user

Upvotes: 1

Related Questions