Using the password validator¶
-
class
pwned_passwords_django.validators.
PwnedPasswordsValidator
¶ Django’s auth system (located in
django.contrib.auth
) includes a configurable password-validation framework with several built-in validators. pwned-passwords-django provides an additional validator which checks the Pwned Passwords database. To enable it, set yourAUTH_PASSWORD_VALIDATORS
setting to includepwned_passwords_django.validators.PwnedPasswordsValidator
, like so:AUTH_PASSWORD_VALIDATORS = [ { 'NAME': 'pwned_passwords_django.validators.PwnedPasswordsValidator', }, ]
This will cause most high-level password-setting operations to check the Pwned Passwords database, and reject any password found there. Specifically, password validators are applied:
- Whenever a user changes or resets their password with Django’s built-in auth views
- Whenever a new user is created via Django’s built-in
UserCreationForm
- Whenever the
createsuperuser
orchangepassword
management commands are used - Whenever an instance of the built-in
User
model is saved after the instance’sset_password()
method has been called.
Keep in mind that validation is not run when code sets or changes a user’s password in other ways. If you manipulate user passwords through means other than the high-level APIs listed above, you’ll need to manually check passwords.