A Django password validator that checks Troy Hunt's PWNED Passwords API to see if a password has been involved in a major security breach before.
Project description
django-pwned-passwords is a Django password validator that checks Troy Hunt’s PWNED Passwords API to see if a password has been involved in a major security breach before.
Note: This app currently sends user passwords to a third party. There are obvious security risks associated with this practice.
Documentation
The full documentation is at https://django-pwned-passwords.readthedocs.io.
Requirements
Django [1.8, 1.11]
Python 2.7, [3.4, 3.6]
Quickstart
Install django-pwned-passwords:
pip install django-pwned-passwords
Add it to your INSTALLED_APPS:
INSTALLED_APPS = (
...
'django_pwned_passwords',
...
)Add django-pwned-passwords’s PWNEDPasswordValidator:
AUTH_PASSWORD_VALIDATORS = [
...
{
'NAME': 'django_pwned_passwords.password_validation.PWNEDPasswordValidator'
}
]Features
This password validator returns a ValidationError if the PWNED Passwords API
detects the password in its data set. Note that the API is heavily rate-limited,
so there is a timeout (PWNED_VALIDATOR_TIMEOUT).
If PWNED_VALIDATOR_FAIL_SAFE is True, anything besides an API-identified bad password
will pass, including a timeout. If PWNED_VALIDATOR_FAIL_SAFE is False, anything
besides a good password will fail and raise a ValidationError.
Settings
Setting |
Description |
Default |
|
The timeout in seconds. The validator will not wait longer than this for a response from the API. |
|
|
If the API fails to get a valid response, should we fail safe and allow the password through? |
|
|
The URL for the API in a string format. |
|
|
The error message for an invalid password. |
|
|
The error message when the API fails. Note: this will only display if |
|
|
The help text for this password validator. |
|
Rate Limiting
Requests to the Pwned Passwords API are limited to one per every 1500 milliseconds each from any given IP address
(an address may request both APIs within this period). Any request that exceeds the limit will receive an
HTTP 429 “Too many requests” response. If PWNED_VALIDATOR_FAIL_SAFE is True, rate limited responses will simply
allow the password through. Otherwise, they will fail and the user will not be able to register until the
API returns a non-429 status code.
Running Tests
source <YOURVIRTUALENV>/bin/activate (myenv) $ pip install tox (myenv) $ tox
Credits
Tools used in rendering this package:
History
0.1.0 (2017-08-05)
Initial beta release. Working as intended. Note: This app currently sends user passwords to a third party. There are obvious security risks associated with this practice.
0.0.1 (2017-08-04)
Beta version, getting everything working.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for django-pwned-passwords-0.1.0.tar.gz
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 2969a4ee57870d08354467656b40d7f7e92bededf3f6d320bd2bd0373b6fdcca |
|
| MD5 | a6b9ee575d00f4963521f7a4801a4d50 |
|
| BLAKE2b-256 | 4e7a272ae33f8fa3feb85476a4d952d6da4a0ac695f1e25fcd18db6a773fa09c |
Hashes for django_pwned_passwords-0.1.0-py2.py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | b58b886ae72ad76b2280d769a4c8ee57da79c4b122472858bfc4252e47238dc7 |
|
| MD5 | 92757e9e81bb96c3a0013bea84e1c719 |
|
| BLAKE2b-256 | fb6e1e16a800b742e53ef366876c4d93d3abbfc4ebdf644cf172ee3c58758a90 |
