pwned-passwords-django provides helpers for working with the
Pwned Passwords database from Have I Been Pwned in Django powered sites. Pwned Passwords is
an extremely large database of passwords known to have been
compromised through data breaches, and is useful as a tool for
rejecting common or weak passwords.
There are three main components to this application:
- A password validator which integrates with Django's password-validation tools and checks the Pwned Passwords database.
- A Django middleware (supporting both sync and async requests) which automatically checks certain request payloads against the Pwned Passwords database.
- An API client providing direct access (both sync and async) to the Pwned Passwords database.
All three use a secure, anonymized API which never transmits any password or its full hash to any third party.
The recommended configuration is to enable both the validator and the automatic password-checking middleware. To do this, make the following changes to your Django settings.
First, add the validator to your AUTH_PASSWORD_VALIDATORS list:
AUTH_PASSWORD_VALIDATORS = [
# ... other password validators ...
{
"NAME": "pwned_passwords_django.validators.PwnedPasswordsValidator",
},
]Then, add the middleware to your MIDDLEWARE list:
MIDDLEWARE = [
# .. other middlewares ...
"pwned_passwords_django.middleware.pwned_passwords_middleware",
]For more details, consult the full documentation.