Skip to main content

PCI-compliant authentication application for Django 1.4+. Uses "best of" existing libraries then fills in the gaps.

Project description

Django 1.4+ only

This application integrates the current Django “best of” PCI auth libraries into a single application, then fills in the gaps. Filling gaps may involve making additional decisions for you, as suggested by Django Documentation e.g.:

Or in some cases, additional functionality may be provided by this package e.g.:

  • XXX Add example


XXX Done

  • Stronger password hashing that allows for selection of hashing algorithm scrypt, bcrypt, PBKDF2, etc. via [1]

  • Checking for strong passwords with a default length setting overrideable in [2]

  • Integrate strong passwords into Django Admin.

  • Lock out account for n minutes after x failed log-in attempts. [3]

  • Set inactivity timeouts.

XXX Not done

  • Set flags disallowing certain accounts to be locked out.

  • Generate event/email when lock-out occurs.

  • Log every log-on and explicit log-out (not necessary timed out log-ins).

    • XXX I assume these need to persist beyond a restart

  • Track last four passwords and do not allow re-use.

    • XXX I assume these need to persist beyond a restart

  • Provide JavaScript to check for strong passwords inline.

    • XXX I assume the javascript code should check the Django settings via AJAX re: password length min/max, etc.

  • Force password reset after X amount of time.

    • XXX I assume these need to persist beyond a restart


PCI is complex. Here is a bit of background on the subject. Inasmuch as it’s possible to summarize here.


XXX Do we need to worry about levels?

  • PCI Compliance Level 1 - Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region

  • PCI Compliance Level 2 - Merchants processing 1 million to 6 million Visa transactions annually (all channels)

  • PCI Compliance Level 3 - Merchants processing 20,000 to 1 million Visa e-commerce transactions annually

  • PCI Compliance Level 4 - Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually



A list of libraries included:


A list of relevant articles:


Stronger password hashing

This is a built-in feature in Django 1.4+. Documented here for convenience:

    # From
    # "[redacted] This means that Django will use the first hash in the list
    # to store all passwords, but will support checking passwords stored with
    # the rest of the hashes in the list. If you remove a hash from the list
    # it will no longer be supported.


Overview of features

Password length enforcement

Failed login attempts log


This software is licensed under the same BSD license that Django is licensed under. See: LICENSE.

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution (168.6 kB view hashes)

Uploaded Source

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page