Frequently asked questions

The following notes answer some common questions, and may be useful to you when using pwned-passwords-django.

What versions of Django and Python are supported?

pwned-passwords-django 5.0.0 supports Django 4.2, and 5.0, and Python 3.8 through 3.12. See Django’s Python support matrix for details of which Python versions are compatible with each version of Django.

Should I use the validator, the middleware, or the API directly?

It’s recommended to enable both the validator and the middleware. The validator by itself can catch many attempts to set a user’s password to a known-compromised value, but cannot catch cases where a user already has a compromised password and is continuing to use it, or when a user’s password is set/changed by something other than Django’s standard auth components. The middleware can catch that case, provided you’re checking the request.pwned_passwords attribute in your view code.

Using the direct API should only be necessary in rare cases where neither the validator nor the middleware is sufficient.

I’m getting timeouts from the Pwned Passwords API. What can I do?

By default, pwned-passwords-django makes requests to the Pwned Passwords API with a timeout of one second. You can change this by specifying the Django setting PWNED_PASSWORDS and setting the key API_TIMEOUT in it to a float indicating your preferred timeout in seconds. For example, to have a timeout of one and a half seconds, you’d set:

PWNED_PASSWORDS = {
    "API_TIMEOUT": 1.5,
}

How can this be secure? It’s sending passwords to some random site!

It’s not actually sending passwords to any other site, and that’s the magic.

You can read about this in the post announcing the launch of version 2 of Pwned Passwords, but the summary of how it works is:

1. pwned-passwords-django hashes the password, and sends only the first five digits of the hexadecimal digest of the hash to Pwned Passwords.

2. Pwned Passwords responds with a list of hash suffixes (all the digits of the hash except the first five) for every entry in its database matching the submitted five-digit prefix.

3. pwned-passwords-django checks that list to see if the remainder of the password hash is present, and if so treats the password as compromised.

This means that neither the password, nor the full hash of the password, is ever sent to any third-party site or service by pwned-passwords-django.

Warning

You can still accidentally disclose passwords!

pwned-passwords-django uses an API that never discloses the password or its hash, but that doesn’t mean the rest of your code or third-party libraries won’t.

You should take care to use Django’s tools for filtering sensitive information from tracebacks and error reports to ensure that your logging and monitoring systems don’t accidentally log or expose raw passwords or their hashes. The utilities inside pwned-passwords-django do what they can to mitigate this, but other code that interacts with pwned-passwords-django may need take its own measures.

You should also be extremely conservative about allowing third-party JavaScript to run on your site, and periodically audit all JavaScript you use; remember that JavaScript can access anything your users enter on your site, and potentially do malicious things with that information.

How do I run the tests?

pwned-passwords-django’s tests are run using nox, but typical installation of pwned-passwords-django (via pip install pwned-passwords-django) will not install the tests.

To run the tests, download the source (.tar.gz) distribution of pwned-passwords-django 5.0.0 from its page on the Python Package Index, unpack it (tar zxvf pwned-passwords-django-|version|.tar.gz on most Unix-like operating systems), and in the unpacked directory run the following at a command prompt:

macOS/Linux/other Unix

python -m pip install nox
python -m nox

Windows

py -m pip install nox
py -m nox

Note that to run the full test matrix you will need to have each supported version of Python available. To run only specific test tasks, you can invoke nox with the -s flag to select a single test task, -t to run all tasks matching a particular tag (like docs), or --python passing a Python version to run only tasks for that version. For example, to run tests for Python 3.10 only, you could run:

macOS/Linux/other Unix

python -m nox --python "3.10"

Windows

py -m nox --python "3.10"

By default, nox will only run the tasks whose associated Python versions are available on your system. For example, if you have only Python 3.8 and 3.9 installed, test runs for Python 3.10, 3.11, and 3.12 would be skipped.

How am I allowed to use this code?

pwned-passwords-django is distributed under a three-clause BSD license. This is an open-source license which grants you broad freedom to use, redistribute, modify and distribute modified versions of pwned-passwords-django. For details, see the file LICENSE in the source distribution of pwned-passwords-django.

I found a bug or want to make an improvement!

The canonical development repository for pwned-passwords-django is online at <https://github.com/ubernostrum/pwned-passwords-django>. Issues and pull requests can both be filed there.