django-zxcvbn-password 2.1.1

Back-end and Front-end password validation with ZXCVBN.

Django ZXCVBN Password

Back-end and Front-end password validation with ZXCVBN.

A combination of pirandig’s django-zxcvbn and aj-may’s django-password-strength Django apps. It combines back-end and front-end validation with strength meter display.

License

Software licensed under ISC license.

Installation

pip install django-zxcvbn-password

Requirements

The JavaScript code of this application uses JQuery, but JQuery is not bundled with it. Please install it separately. You might also want to use Bootstrap.

Usage

# settings.py

INSTALLED_APPS = [
    ...
    'zxcvbn_password',
    ...
]

AUTH_PASSWORD_VALIDATORS = [
    {
        'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
    },
    {
        'NAME': 'zxcvbn_password.ZXCVBNValidator',
        'OPTIONS': {
            'min_score': 3,
            'user_attributes': ('username', 'email', 'first_name', 'last_name')
        }
    }
]

# forms.py

from django import forms
from zxcvbn_password.fields import PasswordField, PasswordConfirmationField

class RegisterForm(forms.Form):
    password1 = PasswordField()
    password2 = PasswordConfirmationField(confirm_with=’password1’)

# views.py

if form.is_valid():
    user = User.objects.create_user(
        username=...,
        password=form.cleaned_data['password1']
    )

By default, other inputs won’t be used to compute the score, but you can enforce it like this:

# forms.py

from django import forms
from zxcvbn_password import zxcvbn
from zxcvbn_password.fields import PasswordField, PasswordConfirmationField

class RegisterForm(forms.Form):
    password1 = PasswordField()
    password2 = PasswordConfirmationField(confirm_with=’password1’)

    def clean(self):
        password = self.cleaned_data.get('password1')
        other_field1 = ...
        other_field2 = ...

        if password:
            score = zxcvbn(password, [other_field1, other_field2])['score']
            # score is between 0 and 4
            # raise forms.ValidationError if needed

        return self.cleaned_data

Custom frequency lists

zxcvbn-python provides a feature to add custom frequency lists, you can specify your own custom frequency lists in the validator by adding frequency_lists to AUTH_PASSWORD_VALIDATORS, where dutch_words is a list of strings:

# settings.py

AUTH_PASSWORD_VALIDATORS = [
    ...
    {
        'NAME': 'zxcvbn_password.ZXCVBNValidator',
        'OPTIONS': {
            'frequency_lists': {
                'dutch': dutch_words,
            }
        }
    }
]

Screen-shot

Important

The password field’s widget declares two JavaScript files that must be added to the HTML page. To do so, add {{ form.media }} in your template, something like:

<form role="form" action="my_url" method="post">
  {% csrf_token %}
  {{ form }}
</form>

{% block js %}
  {{ block.super }}
  {{ form.media }}
{% endblock %}

Note

If you are not using Bootstrap, the strength bar will not have colors. You can fix this with these three CSS rules:

.progress-bar-warning {
    background-color: yellow;
}

.progress-bar-danger {
    background-color: red;
}

.progress-bar-success {
    background-color: green;
}

Documentation

On ReadTheDocs

Development

To run all the tests: tox

Similar projects

You should check out django-zxcvbn-password-validator for backend validation only, but with a good UX and translated messages.

Changelog

2.1.1 (2021-12-16)

• Avoid using deprecated ugettext (PR #143).

2.1.0 (2019-12-15)

• Allow specifying frequency lists in ZXCVBNValidator options (baa47cd).

• Return warnings as validationErrors, create list of warning/suggestion to return as ValidationError(s), fixing translations (12946bb).

2.0.3 (2019-02-21)

• Use new location for package python-zxcvbn, now zxcvbn (2ea1b69).

2.0.2 (2018-08-21)

Documented

• Improve usage notes (7a1ed42). Related issues/PRs: #31.

Fixed

• Fix call to super in PasswordConfirmationInput (fc551b8).

• Improve password validator help text (c5d21a1). Related issues/PRs: #46.

• Strength bar color go green only when superior to min score (9a44fd8). Related issues/PRs: #3.

Tests

• Add django 1.11 tests (815aaef).

• Add py37/pypy plus django 2.0 tests, remove py34 tests (05711cd).

2.0.1 (2017-02-17)

• Fix call to super in PasswordStrengthInput.

2.0.0 (2017-02-17)

• Drop Django 1.8 support in favor of AUTH_PASSWORD_VALIDATORS setting introduced in Django 1.9.

• Update zxcvbn to more recent version (dwolfhub/zxcvbn-python on GitHub).

• Update JavaScript code to latest version.

• Remove all settings (they now go in AUTH_PASSWORD_VALIDATOR options).

• Change license to ISC.

Thanks to Nick Stefan and Daniel Wolf.

1.1.0 (2016-10-18)

• Cookiecutterize the project.

1.0.5 (2015-03-31)

• I don’t remember.

1.0.3 (2015-03-12)

• Switch README to rst.

• Fix manifest rules.

1.0.2 (2015-03-12)

• Change package name from django_zxcvbn_password to zxcvbn_password.

1.0.0 (2015-02-21)

• Beta release on PyPI.

0.1.0 (2015-02-01)

• Alpha release on PyPI.