Skip to main content

PCI-compliant authentication application for Django 1.4+. Uses "best of" existing libraries then fills in the gaps.

Project description

Django 1.4+ only

This application integrates the current Django “best of” PCI auth libraries into a single application, then fills in the gaps. Filling gaps may involve making additional decisions for you, as suggested by Django Documentation e.g.:

Or in some cases, additional functionality may be provided by this package e.g.:

  • XXX Add example

Features

XXX Done

  • Stronger password hashing that allows for selection of hashing algorithm scrypt, bcrypt, PBKDF2, etc. via settings.py. [1]

  • Checking for strong passwords with a default length setting overrideable in settings.py. [2]

  • Integrate strong passwords into Django Admin.

  • Lock out account for n minutes after x failed log-in attempts. [3]

  • Set inactivity timeouts.

XXX Not done

  • Set flags disallowing certain accounts to be locked out.

  • Generate event/email when lock-out occurs.

  • Log every log-on and explicit log-out (not necessary timed out log-ins).

    • XXX I assume these need to persist beyond a restart

  • Track last four passwords and do not allow re-use.

    • XXX I assume these need to persist beyond a restart

  • Provide JavaScript to check for strong passwords inline.

    • XXX I assume the javascript code should check the Django settings via AJAX re: password length min/max, etc.

  • Force password reset after X amount of time.

    • XXX I assume these need to persist beyond a restart

Background

PCI is complex. Here is a bit of background on the subject. Inasmuch as it’s possible to summarize here.

Levels

XXX Do we need to worry about levels?

  • PCI Compliance Level 1 - Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region

  • PCI Compliance Level 2 - Merchants processing 1 million to 6 million Visa transactions annually (all channels)

  • PCI Compliance Level 3 - Merchants processing 20,000 to 1 million Visa e-commerce transactions annually

  • PCI Compliance Level 4 - Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually

Via: http://www.elementps.com/merchants/pci-dss/compliance-level/

Libraries

A list of libraries included:

Articles

A list of relevant articles:

Settings

Stronger password hashing

This is a built-in feature in Django 1.4+. Documented here for convenience:

PASSWORD_HASHERS = (
    # From https://docs.djangoproject.com/en/1.4/topics/auth/:
    # "[redacted] This means that Django will use the first hash in the list
    # to store all passwords, but will support checking passwords stored with
    # the rest of the hashes in the list. If you remove a hash from the list
    # it will no longer be supported.
    'django.contrib.auth.hashers.PBKDF2PasswordHasher',
    'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
    'django.contrib.auth.hashers.BCryptPasswordHasher',
    'django.contrib.auth.hashers.SHA1PasswordHasher',
    'django.contrib.auth.hashers.MD5PasswordHasher',
    'django.contrib.auth.hashers.CryptPasswordHasher',
)

Screenshots

Overview of features

https://raw.github.com/aclark4life/django-pci-auth/master/screenshot-index.png

Password length enforcement

https://raw.github.com/aclark4life/django-pci-auth/master/screenshot.png

Failed login attempts log

https://raw.github.com/aclark4life/django-pci-auth/master/screenshot-axes.png

License

This software is licensed under the same BSD license that Django is licensed under. See: LICENSE.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

django-pci-auth-0.0.3.zip (168.6 kB view hashes)

Uploaded Source

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page