Opened 6 years ago

Closed 6 years ago

Last modified 5 years ago

#30100 closed New feature (wontfix)

Add a Validator that uses Troy Hunts Have I been pwned Database to validate passwords.

Reported by: Logan Owned by: nobody
Component: contrib.auth Version: 2.2
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Add an optional validator that would use the Hash API(https://haveibeenpwned.com/API/v2#PwnedPasswords) in Troy Hunt's Database of pwned passwords. To increase the unique password requirements.

I have created an example validator that could be improved upon if interested (remove dependency of requests), https://gist.github.com/loganstartoni/213e1043314affb56eafc02885494f40.

I think this feature could increase awareness of the database as well as alerting users to the vulnerability of the common passwords that they are reusing.

The Validator as written makes an API call to the haveibeenpwned api and checks the returned hashes against the user inputted password. If the password is pwned it then alerts the user to how many times the password has be pwned.

Change History (2)

comment:1 by Tim Graham, 6 years ago

Resolution: wontfix
Status: newclosed

I think that's a good candidate for a third-party package. If it matures and gets widespread adoption, we could consider including it in contrib.auth, however, I think that most projects won't want a network dependency for validating passwords. In that case, please make your proposal on the DevelopersMailingList as it reaches a wider audience than this ticket tracker.

comment:2 by Adam Johnson, 5 years ago

This is available in the pwned-passwords-django package by James Bennett: https://pypi.org/project/pwned-passwords-django/ :)

Note: See TracTickets for help on using tickets.
Back to Top