A Django password validator that checks Troy Hunt's PWNED Passwords API to see if a password has been involved in a major security breach before.
Project description
======================
Django PWNED Passwords
======================
.. image:: https://badge.fury.io/py/django-pwned-passwords.svg
:target: https://badge.fury.io/py/django-pwned-passwords
.. image:: https://travis-ci.org/jamiecounsell/django-pwned-passwords.svg?branch=master
:target: https://travis-ci.org/jamiecounsell/django-pwned-passwords
.. image:: https://codecov.io/gh/jamiecounsell/django-pwned-passwords/branch/master/graph/badge.svg
:target: https://codecov.io/gh/jamiecounsell/django-pwned-passwords
django-pwned-passwords is a Django password validator that checks Troy Hunt's PWNED Passwords API to see if a password has been involved in a major security breach before.
**Note: This app currently sends a portion of a user's hashed password to a third party. Before using this application, you should understand how that impacts you.**
Documentation
-------------
The full documentation is at https://django-pwned-passwords.readthedocs.io.
Requirements
------------
* Django [1.8, 1.11], 2.0
* Python 2.7, [3.4, 3.6]
Quickstart
----------
Install django-pwned-passwords::
pip install django-pwned-passwords
Add it to your `INSTALLED_APPS`:
.. code-block:: python
INSTALLED_APPS = (
...
'django_pwned_passwords',
...
)
Add django-pwned-passwords's PWNEDPasswordValidator:
.. code-block:: python
AUTH_PASSWORD_VALIDATORS = [
...
{
'NAME': 'django_pwned_passwords.password_validation.PWNEDPasswordValidator'
}
]
Features
--------
This password validator returns a ValidationError if the PWNED Passwords API
detects the password in its data set. Note that the API is heavily rate-limited,
so there is a timeout (:code:`PWNED_VALIDATOR_TIMEOUT`).
If :code:`PWNED_VALIDATOR_FAIL_SAFE` is True, anything besides an API-identified bad password
will pass, including a timeout. If :code:`PWNED_VALIDATOR_FAIL_SAFE` is False, anything
besides a good password will fail and raise a ValidationError.
Settings
--------
+------------------------------------+---------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------+
| Setting | Description | Default |
+------------------------------------+---------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------+
| :code:`PWNED_VALIDATOR_TIMEOUT` | The timeout in seconds. The validator will not wait longer than this for a response from the API. | :code:`2` |
+------------------------------------+---------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------+
| :code:`PWNED_VALIDATOR_FAIL_SAFE` | If the API fails to get a valid response, should we fail safe and allow the password through? | :code:`True` |
+------------------------------------+---------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------+
| :code:`PWNED_VALIDATOR_URL` | The URL for the API in a string format. | :code:`https://haveibeenpwned.com/api/v2/pwnedpassword/{short_hash}` |
+------------------------------------+---------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------+
| :code:`PWNED_VALIDATOR_ERROR` | The error message for an invalid password. | :code:`"Your password was determined to have been involved in a major security breach."` |
+------------------------------------+---------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------+
| :code:`PWNED_VALIDATOR_ERROR_FAIL` | The error message when the API fails. Note: this will only display if :code:`PWNED_VALIDATOR_FAIL_SAFE` is `False`. | :code:`"We could not validate the safety of this password. This does not mean the password is invalid. Please try again later."` |
+------------------------------------+---------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------+
| :code:`PWNED_VALIDATOR_HELP_TEXT` | The help text for this password validator. | :code:`"Your password must not have been detected in a major security breach."` |
+------------------------------------+---------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------+
Rate Limiting
-------------
Historically, requests to the API were rate limited. However, with the new k-anonymity model-based API, there are no such rate limits.
Running Tests
-------------
::
source <YOURVIRTUALENV>/bin/activate
(myenv) $ pip install tox
(myenv) $ tox
Credits
-------
Tools used in rendering this package:
* Cookiecutter_
* `cookiecutter-djangopackage`_
.. _Cookiecutter: https://github.com/audreyr/cookiecutter
.. _`cookiecutter-djangopackage`: https://github.com/pydanny/cookiecutter-djangopackage
History
-------
0.2.0 (2018-03-05)
++++++++++++++++++
* Improved password checking.
* No longer sends user passwords to a third party. Now uses havebeenpwned's k-anonymity_ model)
* Thank you @Plazmaz
.. _k-anonymity: https://en.wikipedia.org/wiki/K-anonymity
0.1.0 (2017-08-05)
++++++++++++++++++
* Initial beta release. Working as intended. **Note: This app currently sends user passwords to a third party. There are obvious security risks associated with this practice.**
0.0.1 (2017-08-04)
++++++++++++++++++
* Beta version, getting everything working.
Django PWNED Passwords
======================
.. image:: https://badge.fury.io/py/django-pwned-passwords.svg
:target: https://badge.fury.io/py/django-pwned-passwords
.. image:: https://travis-ci.org/jamiecounsell/django-pwned-passwords.svg?branch=master
:target: https://travis-ci.org/jamiecounsell/django-pwned-passwords
.. image:: https://codecov.io/gh/jamiecounsell/django-pwned-passwords/branch/master/graph/badge.svg
:target: https://codecov.io/gh/jamiecounsell/django-pwned-passwords
django-pwned-passwords is a Django password validator that checks Troy Hunt's PWNED Passwords API to see if a password has been involved in a major security breach before.
**Note: This app currently sends a portion of a user's hashed password to a third party. Before using this application, you should understand how that impacts you.**
Documentation
-------------
The full documentation is at https://django-pwned-passwords.readthedocs.io.
Requirements
------------
* Django [1.8, 1.11], 2.0
* Python 2.7, [3.4, 3.6]
Quickstart
----------
Install django-pwned-passwords::
pip install django-pwned-passwords
Add it to your `INSTALLED_APPS`:
.. code-block:: python
INSTALLED_APPS = (
...
'django_pwned_passwords',
...
)
Add django-pwned-passwords's PWNEDPasswordValidator:
.. code-block:: python
AUTH_PASSWORD_VALIDATORS = [
...
{
'NAME': 'django_pwned_passwords.password_validation.PWNEDPasswordValidator'
}
]
Features
--------
This password validator returns a ValidationError if the PWNED Passwords API
detects the password in its data set. Note that the API is heavily rate-limited,
so there is a timeout (:code:`PWNED_VALIDATOR_TIMEOUT`).
If :code:`PWNED_VALIDATOR_FAIL_SAFE` is True, anything besides an API-identified bad password
will pass, including a timeout. If :code:`PWNED_VALIDATOR_FAIL_SAFE` is False, anything
besides a good password will fail and raise a ValidationError.
Settings
--------
+------------------------------------+---------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------+
| Setting | Description | Default |
+------------------------------------+---------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------+
| :code:`PWNED_VALIDATOR_TIMEOUT` | The timeout in seconds. The validator will not wait longer than this for a response from the API. | :code:`2` |
+------------------------------------+---------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------+
| :code:`PWNED_VALIDATOR_FAIL_SAFE` | If the API fails to get a valid response, should we fail safe and allow the password through? | :code:`True` |
+------------------------------------+---------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------+
| :code:`PWNED_VALIDATOR_URL` | The URL for the API in a string format. | :code:`https://haveibeenpwned.com/api/v2/pwnedpassword/{short_hash}` |
+------------------------------------+---------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------+
| :code:`PWNED_VALIDATOR_ERROR` | The error message for an invalid password. | :code:`"Your password was determined to have been involved in a major security breach."` |
+------------------------------------+---------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------+
| :code:`PWNED_VALIDATOR_ERROR_FAIL` | The error message when the API fails. Note: this will only display if :code:`PWNED_VALIDATOR_FAIL_SAFE` is `False`. | :code:`"We could not validate the safety of this password. This does not mean the password is invalid. Please try again later."` |
+------------------------------------+---------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------+
| :code:`PWNED_VALIDATOR_HELP_TEXT` | The help text for this password validator. | :code:`"Your password must not have been detected in a major security breach."` |
+------------------------------------+---------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------+
Rate Limiting
-------------
Historically, requests to the API were rate limited. However, with the new k-anonymity model-based API, there are no such rate limits.
Running Tests
-------------
::
source <YOURVIRTUALENV>/bin/activate
(myenv) $ pip install tox
(myenv) $ tox
Credits
-------
Tools used in rendering this package:
* Cookiecutter_
* `cookiecutter-djangopackage`_
.. _Cookiecutter: https://github.com/audreyr/cookiecutter
.. _`cookiecutter-djangopackage`: https://github.com/pydanny/cookiecutter-djangopackage
History
-------
0.2.0 (2018-03-05)
++++++++++++++++++
* Improved password checking.
* No longer sends user passwords to a third party. Now uses havebeenpwned's k-anonymity_ model)
* Thank you @Plazmaz
.. _k-anonymity: https://en.wikipedia.org/wiki/K-anonymity
0.1.0 (2017-08-05)
++++++++++++++++++
* Initial beta release. Working as intended. **Note: This app currently sends user passwords to a third party. There are obvious security risks associated with this practice.**
0.0.1 (2017-08-04)
++++++++++++++++++
* Beta version, getting everything working.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Close
Hashes for django-pwned-passwords-2.0.1.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | d93975401d63d98eb7caa85da3930c929d1f193d2c362d657ada91899625edf3 |
|
MD5 | 74a418d5706179457eb7ce5ca2b368f6 |
|
BLAKE2b-256 | 1e37d3c9e411e5ad490d1b8825f7cc2f16367cc456cc5132d3af510c1e9405f7 |
Close
Hashes for django_pwned_passwords-2.0.1-py2.py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 12754008edcad006ca936fcacada68e7634955e8156f4c884c8fb39289b8c2ff |
|
MD5 | b01410e45c180a4baf9050159efde524 |
|
BLAKE2b-256 | fc20b4565f308a34fdd1ec44c7362aeb016ee983dc4874ec3d7a8dd31dcc0f2d |