Skip to main content

A Django password validator that checks Troy Hunt's PWNED Passwords API to see if a password has been involved in a major security breach before.

Project description

https://badge.fury.io/py/django-pwned-passwords.svg https://travis-ci.org/jamiecounsell/django-pwned-passwords.svg?branch=master https://codecov.io/gh/jamiecounsell/django-pwned-passwords/branch/master/graph/badge.svg

django-pwned-passwords is a Django password validator that checks Troy Hunt’s PWNED Passwords API to see if a password has been involved in a major security breach before.

Note: This app currently sends a portion of a user’s hashed password to a third party. Before using this application, you should understand how that impacts you.

Documentation

The full documentation is at https://django-pwned-passwords.readthedocs.io.

Requirements

  • Django [1.9, 2.1]
  • Python 2.7, [3.5, 3.6, 3.7]

Quickstart

Install django-pwned-passwords:

pip install django-pwned-passwords

Add it to your INSTALLED_APPS:

INSTALLED_APPS = (
    ...
    'django_pwned_passwords',
    ...
)

Add django-pwned-passwords’s PWNEDPasswordValidator:

AUTH_PASSWORD_VALIDATORS = [
    ...
    {
        'NAME': 'django_pwned_passwords.password_validation.PWNEDPasswordValidator'
    }
]

Features

This password validator returns a ValidationError if the PWNED Passwords API detects the password in its data set. Note that the API is heavily rate-limited, so there is a timeout (PWNED_VALIDATOR_TIMEOUT).

If PWNED_VALIDATOR_FAIL_SAFE is True, anything besides an API-identified bad password will pass, including a timeout. If PWNED_VALIDATOR_FAIL_SAFE is False, anything besides a good password will fail and raise a ValidationError.

Settings

Setting Description Default
PWNED_VALIDATOR_TIMEOUT The timeout in seconds. The validator will not wait longer than this for a response from the API. 2
PWNED_VALIDATOR_FAIL_SAFE If the API fails to get a valid response, should we fail safe and allow the password through? True
PWNED_VALIDATOR_URL The URL for the API in a string format. https://haveibeenpwned.com/api/v2/pwnedpassword/{short_hash}
PWNED_VALIDATOR_ERROR The error message for an invalid password. "Your password was determined to have been involved in a major security breach."
PWNED_VALIDATOR_ERROR_FAIL The error message when the API fails. Note: this will only display if PWNED_VALIDATOR_FAIL_SAFE is False. "We could not validate the safety of this password. This does not mean the password is invalid. Please try again later."
PWNED_VALIDATOR_HELP_TEXT The help text for this password validator. "Your password must not have been detected in a major security breach."
PWNED_VALIDATOR_MINIMUM_BREACHES The minimum number of breaches needed to raise an error 1

Rate Limiting

Historically, requests to the API were rate limited. However, with the new k-anonymity model-based API, there are no such rate limits.

Running Tests

source <YOURVIRTUALENV>/bin/activate
(myenv) $ pip install tox
(myenv) $ tox

Credits

Tools used in rendering this package:

History

See Github Releases

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for django-pwned-passwords, version 4.1.0
Filename, size File type Python version Upload date Hashes
Filename, size django_pwned_passwords-4.1.0-py2.py3-none-any.whl (7.6 kB) File type Wheel Python version 3.6 Upload date Hashes View
Filename, size django-pwned-passwords-4.1.0.tar.gz (7.0 kB) File type Source Python version None Upload date Hashes View

Supported by

Pingdom Pingdom Monitoring Google Google Object Storage and Download Analytics Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN DigiCert DigiCert EV certificate StatusPage StatusPage Status page