ubernostrum/pwned-passwords-django

pwned-passwords-django provides helpers for working with the Pwned Passwords database from Have I Been Pwned in Django powered sites. Pwned Passwords is an extremely large database of passwords known to have been compromised through data breaches, and is useful as a tool for rejecting common or weak passwords.

There are three main components to this application:

A password validator which integrates with Django's password-validation tools and checks the Pwned Passwords database.
A Django middleware (supporting both sync and async requests) which automatically checks certain request payloads against the Pwned Passwords database.
An API client providing direct access (both sync and async) to the Pwned Passwords database.

All three use a secure, anonymized API which never transmits any password or its full hash to any third party.

Usage

The recommended configuration is to enable both the validator and the automatic password-checking middleware. To do this, make the following changes to your Django settings.

First, add the validator to your AUTH_PASSWORD_VALIDATORS list:

AUTH_PASSWORD_VALIDATORS = [
    # ... other password validators ...
    {
        "NAME": "pwned_passwords_django.validators.PwnedPasswordsValidator",
    },
]

Then, add the middleware to your MIDDLEWARE list:

MIDDLEWARE = [
    # .. other middlewares ...
    "pwned_passwords_django.middleware.pwned_passwords_middleware",
]

For more details, consult the full documentation.

pwned-passwords-django

Commits

Update pre-commit hooks.

Release 5.1.0.

Begin testing against Django 5.1.

Release 5.0.0.

Expand/reorganize documentation.

Fix formatting in docs header.

README

Usage