jamiecounsell/django-pwned-passwords

Cross-references new Django registration passwords with "Have I Been PWNED?".

django
password-validation

Django PWNED Passwords

image

image

image

django-pwned-passwords is a Django password validator that checks Troy Hunt\'s PWNED Passwords API to see if a password has been involved in a major security breach before.

Note: This app currently sends a portion of a user\'s hashed password to a third party. Before using this application, you should understand how that impacts you.

Documentation

The full documentation is at https://django-pwned-passwords.readthedocs.io.

Requirements

  • Django [1.9, 2.1]
  • Python 2.7, [3.5, 3.6, 3.7]

Quickstart

Install django-pwned-passwords:

pip install django-pwned-passwords

Add it to your `INSTALLED_APPS`:

INSTALLED_APPS = (
    ...
    'django_pwned_passwords',
    ...
)

Add django-pwned-passwords\'s PWNEDPasswordValidator:

AUTH_PASSWORD_VALIDATORS = [
    ...
    {
        'NAME': 'django_pwned_passwords.password_validation.PWNEDPasswordValidator'
    }
]

Features

This password validator returns a ValidationError if the PWNED Passwords API detects the password in its data set. Note that the API is heavily rate-limited, so there is a timeout (PWNED_VALIDATOR_TIMEOUT).

If PWNED_VALIDATOR_FAIL_SAFE is True, anything besides an API-identified bad password will pass, including a timeout. If PWNED_VALIDATOR_FAIL_SAFE is False, anything besides a good password will fail and raise a ValidationError.

Settings


Setting Description Default

PWNED_VALIDATOR_TIMEOUT The timeout in seconds. The 2 validator will not wait
longer than this for a
response from the API.

PWNED_VALIDATOR_FAIL_SAFE If the API fails to get a True valid response, should we
fail safe and allow the
password through?

PWNED_VALIDATOR_URL The URL for the API in a https://haveibeenpwned.com/api/v2/pwnedpassword/{short_hash} string format.

PWNED_VALIDATOR_ERROR The error message for an "Your password was determined to have been involved in a major security breach." invalid password.

PWNED_VALIDATOR_ERROR_FAIL The error message when the "We could not validate the safety of this password. This does not mean the password is invalid. Please try again later." API fails. Note: this will
only display if
PWNED_VALIDATOR_FAIL_SAFE
is [False]{.title-ref}.

PWNED_VALIDATOR_HELP_TEXT The help text for this "Your password must not have been detected in a major security breach." password validator.

PWNED_VALIDATOR_MINIMUM_BREACHES The minimum number of 1 breaches needed to raise an
error


Rate Limiting

Historically, requests to the API were rate limited. However, with the new k-anonymity model-based API, there are no such rate limits.

Running Tests

source <YOURVIRTUALENV>/bin/activate
(myenv) $ pip install tox
(myenv) $ tox

Credits

Tools used in rendering this package:

Stars
23
100.00% more than last month
Forks
5
Open Issues
3