Skip to main content

A Django password validator using the Pwned Passwords API to check for compromised passwords.

Project description

Django Pwned

pypi tests ci coverage MIT black

A collection of django password validators.

Compatibility

  • Python: 3.8, 3.9, 3.10, 3.11, 3.12
  • Django: 4.2, 5.0

Installation

pip install django-pwned

For translations to work, add django_pwned to INSTALLED_APPS.

TL;DR:

AUTH_PASSWORD_VALIDATORS = [
    {"NAME": "django.contrib.auth.password_validation.UserAttributeSimilarityValidator"},
    {"NAME": "django_pwned.validators.GitHubLikePasswordValidator"},
    {"NAME": "django_pwned.validators.MinimumUniqueCharactersPasswordValidator"},
    {"NAME": "django_pwned.validators.PwnedPasswordValidator"},
]

Validators

PwnedPasswordValidator(request_timeout=1.5, count_threshold=1)

This validator uses the Pwned Passwords API to check for compromised passwords.

Internally, this validator checks password with django's CommonPasswordValidator and if password was not in django's list, uses Pwned API to check password. So you can remove CommonPasswordValidator if you're using this validator.

AUTH_PASSWORD_VALIDATORS = [
    # ...
    # {"NAME": "django.contrib.auth.password_validation.CommonPasswordValidator"},
    {"NAME": "django_pwned.validators.PwnedPasswordValidator"},
    # ...
]

You can set the API request timeout with the request_timeout parameter (in seconds).

You can set the count_threshold to reject a password if it appears more than a certain number of times in the Pwned Passwords data set. By default, this threshold is set to 1. For instance, setting count_threshold=2 means the password will be rejected if it appears in the data set at least twice.

Example configuration:

AUTH_PASSWORD_VALIDATORS = [
    # ...
    {
      "NAME": "django_pwned.validators.PwnedPasswordValidator",
      "OPTIONS": {
        "request_timeout": 2,
        "count_threshold": 5,
      },
    },
    # ...
]

If for any reason (connection issues, timeout, ...) the request to Pwned API fails, this validator skips checking password and logs a message.

GitHubLikePasswordValidator(min_length=8, safe_length=15)

Validates whether the password is at least:

  • 8 characters long, if it includes a number and a lowercase letter, or
  • 15 characters long with any combination of characters

Based on GitHub's documentation about creating a strong password.

You may want to disable Django's NumericPasswordValidator and MinimumLengthValidator if you want to use GitHubLikePasswordValidator.

The minimum number of characters can be customized with the min_length parameter. The length at which we remove the restriction about requiring both number and lowercase letter can be customized with the safe_length parameter.

MinimumUniqueCharactersPasswordValidator(min_unique_characters=4)

Validates whether the password contains at least 4 unique characters. For example aaaaaaaaaabbbbbbccc is an invalid password, but aAbB is a valid password.

The minimum number of unique characters can be customized with the min_unique_characters parameter.

Development

  • Create and activate a python virtualenv.
  • Install development dependencies in your virtualenv: pip install -e '.[dev]'
  • Install pre-commit hooks: pre-commit install
  • Run tests with coverage: py.test --cov

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

django_pwned-1.2.1.tar.gz (10.7 kB view details)

Uploaded Source

Built Distribution

django_pwned-1.2.1-py3-none-any.whl (8.7 kB view details)

Uploaded Python 3

File details

Details for the file django_pwned-1.2.1.tar.gz.

File metadata

  • Download URL: django_pwned-1.2.1.tar.gz
  • Upload date:
  • Size: 10.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/5.1.0 CPython/3.12.4

File hashes

Hashes for django_pwned-1.2.1.tar.gz
Algorithm Hash digest
SHA256 e43620a2980ff3ab8766e74eb8d71fb3e6cde86e274444e9f48253b9431ab3d9
MD5 d47a0d68f97cac67ece104ec26256b0f
BLAKE2b-256 599f85435c4b1df6382ffce99d6e998f854a045a4e72de0b01be908df3a36734

See more details on using hashes here.

File details

Details for the file django_pwned-1.2.1-py3-none-any.whl.

File metadata

File hashes

Hashes for django_pwned-1.2.1-py3-none-any.whl
Algorithm Hash digest
SHA256 76cea422ce51725d514868f63b847070b01e477f0f49bd95804b13ae6a18c997
MD5 7fda262ab81a70b1fe20747492effdfd
BLAKE2b-256 ce53da93e569b0c0587c33e7cf015a1ecb2a6edbc3822ef1a16b4de445225e8a

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page