Validate user passwords against haveibeenpwned.com database.
Think twice before using this package. Let your clients know you're testing their passwords against a 3rd-party service. Client trust should be your #1 priority. This projects only intends to highlight the need to ensure users select secure passwords, it is still a prototype and has not been tested in any production environment.
Restrict your Django project users from using a password that has been located even once in the haveibeenpwned.com database. Doing this makes your project a more secure place for your clients.
This package requires requests Python library. You can install it with
pip install requests, if it doesn't already exist in your project requirements.
- Clone the repo inside your project
- In your app's settings file, locate the
AUTH_PASSWORD_VALIDATORSand append thePwnedPasswordValidatorvalidator.
{
'NAME': 'django_pwned_validator.validators.PwnedPasswordValidator',
}You can check out the example project to get an idea of how it works.
- Reddit user
Poromenos(https://www.reddit.com/r/django/comments/81z84w/validate_user_passwords_against_haveibeenpwnedcom/)
Feel free to send any PRs or open issues with ideas for implementation.