pwned-passwords-django 5.1.3

pwned-passwords-django provides helpers for working with the Pwned Passwords database from Have I Been Pwned in Django powered sites. Pwned Passwords is an extremely large database of passwords known to have been compromised through data breaches, and is useful as a tool for rejecting common or weak passwords.

There are three main components to this application:

• A password validator which integrates with Django’s password-validation tools and checks the Pwned Passwords database.

• A Django middleware (supporting both sync and async requests) which automatically checks certain request payloads against the Pwned Passwords database.

• An API client providing direct access (both sync and async) to the Pwned Passwords database.

All three use a secure, anonymized API which never transmits any password or its full hash to any third party.

Usage

The recommended configuration is to enable both the password validator and the automatic password-checking middleware. To do this, make the following changes to your Django settings.

First, add the validator to your AUTH_PASSWORD_VALIDATORS list:

AUTH_PASSWORD_VALIDATORS = [
    # ... other password validators ...
    {
        "NAME": "pwned_passwords_django.validators.PwnedPasswordsValidator",
    },
]

Then, add the middleware to your MIDDLEWARE list:

MIDDLEWARE = [
    # .. other middlewares ...
    "pwned_passwords_django.middleware.pwned_passwords_middleware",
]

Documentation contents

Installation and usage

• Installation guide
• Usage guide

API reference

• The password validator
• The password-checking middleware
• Direct Pwned Passwords API access
• Exception classes and error handling
• Configuration via Django settings

Other documentation

• Frequently asked questions
• Changelog

See also

• About Have I Been Pwned

• The Pwned Passwords range-search API